classification
Title: _sre.c references uninitialised memory
Type: Stage:
Components: Regular Expressions Versions: Python 2.4
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: niemeyer Nosy List: andrewmcnamara, niemeyer (2)
Priority: high Keywords

Created on 2004-12-21 08:10 by andrewmcnamara, last changed 2004-12-21 12:37 by niemeyer.

Messages (2)
msg23787 - (view) Author: Andrew McNamara (andrewmcnamara) Date: 2004-12-21 08:10 
In _sre.c, data_stack_grow(), realloc'ed memory is not initialised 
before use. When complex regexps are used, this results in a core 
dump.

Initialising the newly allocated memory to 0x55 and executing an 
offending regexp results in a fatal reference to an address like 
0x55555558:

static int
data_stack_grow(SRE_STATE* state, int size)
{
    int minsize, cursize;
    minsize = state->data_stack_base+size;
    cursize = state->data_stack_size;
    if (cursize < minsize) {
        void* stack;
        cursize = minsize+minsize/4+1024;
        TRACE(("allocate/grow stack %d\n", cursize));
        stack = realloc(state->data_stack, cursize);
        if (!stack) {
            data_stack_dealloc(state);
            return SRE_ERROR_MEMORY;
        }
        memset(stack+state->data_stack_size, 0x55, cursize-state-
>data_stack_size);
        state->data_stack = stack;
        state->data_stack_size = cursize;
    }
    return 0;
}
msg23788 - (view) Author: Gustavo Niemeyer (niemeyer) Date: 2004-12-21 12:37 
Logged In: YES 
user_id=7887

The real problem is not initializing realloced memory, but acknowledging 
memory reallocation in situations where data may be reallocated outside 
of the main matching function. 
 
Please, have a look at the bug at http://python.org/sf/1072259 for more 
information and for a patch fixing the problem. 
 
Thanks for reporting it!
History
Date User Action Args
2004-12-21 08:10:54andrewmcnamaracreate