[llvm] [Support] Fix buffer overflow in regcomp (PR #76681)
via llvm-commits
llvm-commits at lists.llvm.org
Thu Jan 4 13:56:21 PST 2024
DavidKorczynski wrote:
This is the stacktrace:
```#0 0x84d0f7 in findmust [llvm-project/llvm/lib/Support/regcomp.c:1629](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/regcomp.c#L1629):9
#1 0x84d0f7 in llvm_regcomp [llvm-project/llvm/lib/Support/regcomp.c:371](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/regcomp.c#L371):2
#2 0x7fb86b in llvm::Regex::Regex(llvm::StringRef, llvm::Regex::RegexFlags) [llvm-project/llvm/lib/Support/Regex.cpp:36](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/Regex.cpp#L36):11
#3 0x57c5d2 in llvm::SpecialCaseList::Matcher::insert(llvm::StringRef, unsigned int, bool) [llvm-project/llvm/lib/Support/SpecialCaseList.cpp:45](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/SpecialCaseList.cpp#L45):11
#4 0x581555 in llvm::SpecialCaseList::parse(llvm::MemoryBuffer const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) [llvm-project/llvm/lib/Support/SpecialCaseList.cpp:194](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/SpecialCaseList.cpp#L194):26
#5 0x57fd73 in createInternal [llvm-project/llvm/lib/Support/SpecialCaseList.cpp:127](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/SpecialCaseList.cpp#L127):8
#6 0x57fd73 in llvm::SpecialCaseList::create(llvm::MemoryBuffer const*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >&) [llvm-project/llvm/lib/Support/SpecialCaseList.cpp:93](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/SpecialCaseList.cpp#L93):12
#7 0x56dc21 in LLVMFuzzerTestOneInput [llvm-project/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp:23](https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/tools/llvm-special-case-list-fuzzer/special-case-list-fuzzer.cpp#L23):3
```
In this sense it seems the pattern is defined here:
https://github.com/llvm/llvm-project/blob/7e186d366d6c7def0543acc255931f617e76dff0/llvm/lib/Support/SpecialCaseList.cpp#L185-L192C32
In ASCII, the input from the fuzzer looks as follows:
```
#!special-case-list-v1
:){0}( | )(\1
```
https://github.com/llvm/llvm-project/pull/76681
More information about the llvm-commits
mailing list