Hi,
On 5.11.2025 11.28, Roberto E. Vargas Caballero wrote:
On Thu, Oct 23, 2025 at 03:28:06PM +0200, Frank Busse wrote:
Hi,
again found by KLEE:
---
$ printf '\x00\x00\n\x00\x00\x00\x00\x00' > A
$ ./grep -xsf A
ERROR: AddressSanitizer: global-buffer-overflow
$ ./grep -wf A
ERROR: AddressSanitizer: global-buffer-overflow
The following patch should solve these problems. While we were
analyzing the problem it was discovered that the flag -x doesn't
work well, but that is a different topic to be addessed in a different
commit.
Even this change actually fixes issues with -x:
Before:
$ printf 'foo\nfoo$\n' | ./grep -x 'foo$'
foo$
After:
$ printf 'foo\nfoo$\n' | ./grep -x 'foo$'
foo
While the real issue of using 'strlen() + 1' with 'fmemopen()' is not
fixed, the use of 'strlen()' in addpattern ignores the (extra) string
terminator included by getline().
/* a null BRE/ERE matches every line */
- if (!Fflag)
+ if (!Fflag) {
if (pattern[0] == '\0')
- pattern = "^";
+ pattern = beg;
This is not needed, the problem always was READ access due to patlen
mismatch:
==1109644==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000004060a2 at pc 0x000000404354 bp 0x7ffcf6cd3f70 sp 0x7ffcf6cd3f68
READ of size 1 at 0x0000004060a2 thread T0
#0 0x404353 in addpattern /home/inz/Projects/sbase/grep.c:60
#1 0x404353 in addpatternfile /home/inz/Projects/sbase/grep.c:96
#2 0x402b2e in main /home/inz/Projects/sbase/grep.c:213
+ }
+ patlen = strlen(pattern);
--
Cheers,
Santtu
