Hi,
On 5.11.2025 11.28, Roberto E. Vargas Caballero wrote:
> On Thu, Oct 23, 2025 at 03:28:06PM +0200, Frank Busse wrote:
>> Hi,
>>
>> again found by KLEE:
>>
>> ---
>> $ printf '\x00\x00\n\x00\x00\x00\x00\x00' > A
>> $ ./grep -xsf A
>> ERROR: AddressSanitizer: global-buffer-overflow
>> $ ./grep -wf A
>> ERROR: AddressSanitizer: global-buffer-overflow
>
> The following patch should solve these problems. While we were
> analyzing the problem it was discovered that the flag -x doesn't
> work well, but that is a different topic to be addessed in a different
> commit.
Even this change actually fixes issues with -x:
Before:
$ printf 'foo\nfoo$\n' | ./grep -x 'foo$'
foo$
After:
$ printf 'foo\nfoo$\n' | ./grep -x 'foo$'
foo
While the real issue of using 'strlen() + 1' with 'fmemopen()' is not
fixed, the use of 'strlen()' in addpattern ignores the (extra) string
terminator included by getline().
> /* a null BRE/ERE matches every line */
> - if (!Fflag)
> + if (!Fflag) {
> if (pattern[0] == '\0')
> - pattern = "^";
> + pattern = beg;
This is not needed, the problem always was READ access due to patlen
mismatch:
==1109644==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004060a2 at pc 0x000000404354 bp 0x7ffcf6cd3f70 sp 0x7ffcf6cd3f68
READ of size 1 at 0x0000004060a2 thread T0
#0 0x404353 in addpattern /home/inz/Projects/sbase/grep.c:60
#1 0x404353 in addpatternfile /home/inz/Projects/sbase/grep.c:96
#2 0x402b2e in main /home/inz/Projects/sbase/grep.c:213
> + }
> + patlen = strlen(pattern);
--
Cheers,
Santtu
Received on Wed Nov 05 2025 - 11:14:03 CET