Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segvault with null terminated input #142

Closed
jcfp opened this issue May 11, 2016 · 3 comments

Comments

@jcfp
Copy link
Contributor

commented May 11, 2016

hi,

a bug was reported in debian about a segvault in re2c with null terminated input:

When re2c reads a file that is containing '&' (ampersand) that is followed by null byte, re2c is crashed due to heap overread.

The following is the reproducible steps:
$ echo -ne "&\x00" > A
$ re2c A
Segmentation fault

I'm not sure if the ampersand is actually required, as it seems to segvault with other characters too as long as that null is at the end. The bug was reported against 0.13.5 but this reproduces with 0.16 too.

See the debian bug report for more details.

@skvadrik skvadrik self-assigned this May 11, 2016

@skvadrik

This comment has been minimized.

Copy link
Owner

commented May 11, 2016

Confirmed, thank you.

skvadrik added a commit that referenced this issue May 11, 2016

Fixed bug #142 "segvault with null terminated input"
Steps to reproduce:
    $ echo -ne "&\x00" > A
    $ re2c A
    Segmentation fault

Analyses: when re2c finds NULL in the input file, it checks for the
end of input; if indeed it has reached the end of input, it stops.
Otherwise, it's just some NULL byte in the middle of input; it should
be handled like any other character.

The first case (NULL as end of input) was handled correctly, but
in the second case (NULL in the middle of input) re2c crashed:
someone forgot to put an appropriate 'goto' statement, which caused
completely ad-hoc control flow in lexer.
@skvadrik

This comment has been minimized.

Copy link
Owner

commented May 11, 2016

Here is a fix: 54711f6 :)

Just a case of forgotten goto which remained unnoticed for years.

@jcfp

This comment has been minimized.

Copy link
Contributor Author

commented May 12, 2016

👍 Sure enough that does the job. Thanks!

@jcfp jcfp closed this May 12, 2016

skvadrik added a commit that referenced this issue May 13, 2016

Fixed bug #142 "segvault with null terminated input"
Steps to reproduce:
    $ echo -ne "&\x00" > A
    $ re2c A
    Segmentation fault

Analyses: when re2c finds NULL in the input file, it checks for the
end of input; if indeed it has reached the end of input, it stops.
Otherwise, it's just some NULL byte in the middle of input; it should
be handled like any other character.

The first case (NULL as end of input) was handled correctly, but
in the second case (NULL in the middle of input) re2c crashed:
someone forgot to put an appropriate 'goto' statement, which caused
completely ad-hoc control flow in lexer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.