Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 20 Mar 2015 22:17:17 -0400
From: Rich Felker <dalias@...c.org>
To: Konstantin Serebryany <konstantin.s.serebryany@...il.com>,
	musl@...ts.openwall.com
Subject: Re: buffer overflow in regcomp and a way to find more of those

On Sat, Mar 21, 2015 at 03:10:18AM +0100, Szabolcs Nagy wrote:
> * Rich Felker <dalias@...c.org> [2015-03-20 21:30:16 -0400]:
> > > > int main() {
> > > >   regex_t preg;
> > > >   const char *s = ".****\\Z$<\\0)_";
> > 
> > Isn't the \0 an invalid backreference? Could it be getting processed
> > in a way that's causing the slowdown, but simply rejected by glibc?
> 
> ah you were right the \0 causes the slow down here:
> it switches to the backtracking mode and there are
> many ways to backtrack on .****

Right. But \0 isn't even a valid backreference. It would refer to "the
whole match" which could never match as a backreference. Valid
backrefs are only the digits 1-9 though. \0 is not defined and should
probably be treated as a literal or a parse error.

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.