| Summary: | Expr crashes on some specific patterns | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Jan Rouš <rousik> |
| Component: | Standard Compliance | Assignee: | unassigned |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | 1.13.x | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: |
Patch
Patch to be applied to svn in a minute |
||
This is not enhancement. Created attachment 89 [details]
Patch to be applied to svn in a minute
I think you have it in slightly wrong place in your patch. I will do it this way.
fixed in revision 25507, thanks for pointing out where it happens! |
Created attachment 49 [details] Patch busybox expr crashes if non-matching \(..\)* block appears on the first position. Example: busybox expr match '' '\(x\)*' In that case regexec returns regmatch_t with only first entry filled and busybox tries (without checking) to read substring from re_regs[1]. But re_regs[1].rm_so == -1 235 /* expr uses an anchored pattern match, so check that there was a 236 * match and that the match starts at offset 0. */ 237 if (regexec(&re_buffer, sv->u.s, NMATCH, re_regs, 0) != REG_NOMATCH 238 && re_regs[0].rm_so == 0 239 ) { 240 /* Were \(...\) used? */ 241 if (re_buffer.re_nsub > 0) { 242 sv->u.s[re_regs[1].rm_eo] = '\0'; 243 v = str_value(sv->u.s + re_regs[1].rm_so); 244 } else { 245 v = int_value(re_regs[0].rm_eo); 246 } I suggest that adding && re_resg[1].rm_so != -1 should suffice to overcome this problem. Patch attached.