Demo Discussion
Forum Config Examples Contributions Vulnerabilities
  Discussion forum about ELOG  Not logged in ELOG logo
icon4.gif   Segmentation fault when searching for empty regex, posted by Heiko Scheit on Mon Apr 11 13:52:29 2005 
    icon2.gif   Re: Segmentation fault when searching for empty regex, posted by Stefan Ritt on Mon Apr 11 21:22:25 2005 
Message ID: 1072     Entry time: Mon Apr 11 13:52:29 2005     Reply to this: 1075
Icon: Warning  Author: Heiko Scheit  Author Email: h.scheit@mpi-hd.mpg.de 
Category: Bug fix  OS: Linux  ELOG Version: 2.5.7-1 
Subject: Segmentation fault when searching for empty regex 
Segmentation fault when searching for empty regex
--------------------------------------------------

Searching for a regex like 'm*', which also includes zero 'm's, an empty
expression is found indefinitely in 'highlight_searchtext(...)', which 
eventually results in an overflow of 'pt1'.  The patch below fixes this
particular problem, but I would guess there are many other regular 
expressions that would lead to an overflow of 'pt1', so its size
should definitely be checked before every 'strcpy(pt1,...)' and
the loop be aborted accordingly.  (Or 'pt1' should be allocated 
and enlarged dynamically.)

*** 14777,14782 ****
--- 14777,14784 ----
        if (status != REG_NOMATCH) {
           size = pmatch[0].rm_so;
  
+        if (size == 0) break; /* check for zero size -> infinite loop */
+ 
           /* copy first part original text */
           memcpy(pt1, pt, size);
           pt1 += size;
***************
*** 14788,14795 ****
--- 14790,14799 ----
           /* see also rsputs2(char* ) */
  
           if (hidden)
+          /* need to check size of pt1 !!! */
              strcpy(pt1,
"\001B\004style=\003color:black;background-color:#ffff66\003\002");
           else
+          /* need to check size of pt1 !!! */
              strcpy(pt1, "<B style=\"color:black;background-color:#ffff66\">");
  
           pt1 += strlen(pt1);
***************
*** 14802,14814 ****
--- 14806,14821 ----
  
           /* add coloring 2nd part */
           if (hidden)
+          /* need to check size of pt1 !!! */
              strcpy(pt1, "\001/B\002");
           else
+          /* need to check size of pt1 !!! */
              strcpy(pt1, "</B>");
           pt1 += strlen(pt1);
        }
     } while (status != REG_NOMATCH);
  
+    /* need to check size of pt1 !!! */
     strcpy(pt1, pt);
  }
ELOG V3.1.5-fe60aaf