[ python-Bugs-1088891 ] _sre.c references uninitialised memory

[SourceForge.net]

Bugs item #1088891, was opened at 2004-12-21 08:10
Message generated for change (Comment added) made by niemeyer
You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1088891&group_id=5470

Category: Regular Expressions
Group: Python 2.4
>Status: Closed
>Resolution: Fixed
Priority: 7
Submitted By: Andrew McNamara (andrewmcnamara)
Assigned to: Gustavo Niemeyer (niemeyer)
Summary: _sre.c references uninitialised memory

Initial Comment:
In _sre.c, data_stack_grow(), realloc'ed memory is not initialised 
before use. When complex regexps are used, this results in a core 
dump.

Initialising the newly allocated memory to 0x55 and executing an 
offending regexp results in a fatal reference to an address like 
0x55555558:

static int
data_stack_grow(SRE_STATE* state, int size)
{
    int minsize, cursize;
    minsize = state->data_stack_base+size;
    cursize = state->data_stack_size;
    if (cursize < minsize) {
        void* stack;
        cursize = minsize+minsize/4+1024;
        TRACE(("allocate/grow stack %d\n", cursize));
        stack = realloc(state->data_stack, cursize);
        if (!stack) {
            data_stack_dealloc(state);
            return SRE_ERROR_MEMORY;
        }
        memset(stack+state->data_stack_size, 0x55, cursize-state-
>data_stack_size);
        state->data_stack = stack;
        state->data_stack_size = cursize;
    }
    return 0;
}


----------------------------------------------------------------------

>Comment By: Gustavo Niemeyer (niemeyer)
Date: 2004-12-21 12:37

Message:
Logged In: YES 
user_id=7887

The real problem is not initializing realloced memory, but acknowledging 
memory reallocation in situations where data may be reallocated outside 
of the main matching function. 
 
Please, have a look at the bug at http://python.org/sf/1072259 for more 
information and for a patch fixing the problem. 
 
Thanks for reporting it! 
 

----------------------------------------------------------------------

You can respond by visiting: 
https://sourceforge.net/tracker/?func=detail&atid=105470&aid=1088891&group_id=5470
_______________________________________________
Python-bugs-list mailing list 
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com