#5223 A regular expression with > 32k "colors" causes a segfault

current: 8.5.14
closed-fixed
8
2013-04-08
2013-04-04
No

If a regular expression is parsed into more than 32k colors, you get a crash. I initially spotted this in PostgreSQL (http://www.postgresql.org/message-id/515C46A0.3090002@vmware.com), but TCL shares the same code and thus has the same bug.

Attached is a TCL test script to reproduce this.

Here's a link to the PostgreSQL commit that fixed this: http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=bf2b0a147857f63daa2e5c17eed0169861371af8. It should apply to TCL sources with minimal changes.

Discussion

  • Heikki Linnakangas

    Script to reproduce the segfault

     
  • Don Porter

    Don Porter - 2013-04-04

    What encoding is that demo file in ? It appears
    mangled.

     
  • Don Porter

    Don Porter - 2013-04-04
    • assigned_to: pvgoran --> dgp
     
  • Don Porter

    Don Porter - 2013-04-04
    • priority: 5 --> 8
     
  • Don Porter

    Don Porter - 2013-04-04

    It appears the segfault is avoided in Tcl 8.6,
    probably due to the DUP_TRAVERSE_MAX_DEPTH
    limits imposed there.

    I see the segfault in Tcl 8.5. though.

    A tidier demo convertible to a test case
    would be welcome. I will get to it eventually.

     
  • Don Porter

    Don Porter - 2013-04-04

    Simpler demo:

    set e {}
    set cp 99
    while {$cp < 35000} {
    append e [format %c [incr cp]]
    }
    regexp -about $e

     
  • Don Porter

    Don Porter - 2013-04-08

    Branch bug-3610026 contains the test and the (slightly
    adapted) patch.

    It's good to stop the crash. The only significant problem
    with this patch is that the test requires 10s of seconds to run,
    at least on my machine. I'd like opinions on whether we
    should constrain it to not run on every make test for that
    reason.

     
  • Don Porter

    Don Porter - 2013-04-08
    • assigned_to: dgp --> dkf
     
  • Donal K. Fellows

    It takes 5-6 seconds on this rather elderly machine, which is acceptable. (Your system must be even older, and this machine's now old enough to be of school age!)

    I don't think the test is looking for the right result though. Either it's looking for a non-crash (in which case we ought to allow for success) or it should look for the specific new error message. I'm cool either way, but the current "gimme an error, any error" feels uncomfortable given that the rest of the file does lots of testing for specific errors.

     
  • Don Porter

    Don Porter - 2013-04-08

    Fix committed for Tcl 8.4.20.

     
  • Don Porter

    Don Porter - 2013-04-08
    • assigned_to: dkf --> dgp
     
  • Don Porter

    Don Porter - 2013-04-08
    • milestone: --> current: 8.5.14
    • status: open --> closed-fixed
     
  • Don Porter

    Don Porter - 2013-04-08

    and 8.5.15 and 8.6.1.

     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks