Package: libc6 Version: 2.19-15 Tags: security Usertags: afl
The attached test program, which compiles an invalid regexp and then tries to match a string against it, triggers an assertion:
$ make CFLAGS=-Wall pop_fail_stack cc -Wall pop_fail_stack.c -o pop_fail_stack $ ./pop_fail_stack pop_fail_stack: regexec.c:1401: pop_fail_stack: Assertion `num >= 0' failed. Aborted This bug was found using American fuzzy lop: http://lcamtuf.coredump.cx/afl/ (available in Debian experimental) -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libc6 depends on: ii libgcc1 1:5-20150226-1 Versions of packages libc6 recommends: ii libc6-i686 2.19-15 Versions of packages libc6 suggests: ii debconf [debconf-2.0] 1.5.55 ii glibc-doc 2.19-15 ii locales 2.19-15 -- Jakub Wilk
#include <assert.h> #include <regex.h> #include <stdio.h> int main(int argc, char **argv) { int rc; regex_t preg; regmatch_t pmatch[2]; rc = regcomp(&preg, "()*)|\\1)*", REG_EXTENDED); assert(rc == 0); regexec(&preg, "", 2, pmatch, 0); regfree(&preg); return 0; }