Issue #12418 has been updated by Usaku NAKAMURA.

Backport changed from 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED to 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED

ruby_2_2 r55355 merged revision(s) 55154.

----------------------------------------
Bug #12418: Regexp: Segfault due to Invalid Read in regerror.c : to_ascii()
https://bugs.ruby-lang.org/issues/12418#change-59116

* Author: David Moore
* Status: Closed
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
* Backport: 2.1: REQUIRED, 2.2: DONE, 2.3: REQUIRED
----------------------------------------
A crafted regular expression will cause an invalid 4 byte read on 32-bit Ubuntu 14.04. The regular expression has several errors  this bug occurs during the process of creating the OnigErrorInfo structure and appears to be an encoding issue.  

~~~
grajagandev# cat load-re.rb 
File.open(ARGV[0]) do |f|  
  @re = Regexp.new("/" + File.read(f) + "/")
end  
grajagandev# cat badread-to_ascii 
(0?0|(?(5)||)|(?(5)||))?
grajagandev# ruby -v
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]
grajagandev# uname -a
Linux x-Acer 3.19.0-25-generic #26~14.04.1-Ubuntu SMP Fri Jul 24 21:18:00 UTC 2015 i686 i686 i686 GNU/Linux
grajagandev# valgrind --max-stackframe=90000000 --track-origins=yes ruby load-re.rb badread-to_ascii 
==29929== Memcheck, a memory error detector
==29929== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==29929== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==29929== Command: ruby load-re.rb badread-to_ascii
==29929== 
==29929== Use of uninitialised value of size 4
==29929==    at 0x1B4A12: to_ascii (regerror.c:209)
==29929==    by 0x1B4C85: onig_error_code_to_str (regerror.c:282)
==29929==    by 0x1A0CCA: make_regexp (re.c:876)
==29929==    by 0x1A479D: rb_reg_initialize (re.c:2546)
==29929==    by 0x1A4905: rb_reg_initialize_str (re.c:2571)
==29929==    by 0x1A5BE3: rb_reg_initialize_m (re.c:3071)
==29929==    by 0x24315F: call_cfunc_m1 (vm_insnhelper.c:1459)
==29929==    by 0x25016A: vm_call0_cfunc_with_frame (vm_eval.c:131)
==29929==    by 0x25022A: vm_call0_cfunc (vm_eval.c:148)
==29929==    by 0x250382: vm_call0_body (vm_eval.c:186)
==29929==    by 0x25001B: vm_call0 (vm_eval.c:61)
==29929==    by 0x2509AD: rb_call0 (vm_eval.c:351)
==29929==  Uninitialised value was created by a stack allocation
==29929==    at 0x1A0C51: make_regexp (re.c:861)
==29929== 
==29929== Invalid read of size 4
==29929==    at 0x1B4A12: to_ascii (regerror.c:209)
==29929==    by 0x1B4C85: onig_error_code_to_str (regerror.c:282)
==29929==    by 0x1A0CCA: make_regexp (re.c:876)
==29929==    by 0x1A479D: rb_reg_initialize (re.c:2546)
==29929==    by 0x1A4905: rb_reg_initialize_str (re.c:2571)
==29929==    by 0x1A5BE3: rb_reg_initialize_m (re.c:3071)
==29929==    by 0x24315F: call_cfunc_m1 (vm_insnhelper.c:1459)
==29929==    by 0x25016A: vm_call0_cfunc_with_frame (vm_eval.c:131)
==29929==    by 0x25022A: vm_call0_cfunc (vm_eval.c:148)
==29929==    by 0x250382: vm_call0_body (vm_eval.c:186)
==29929==    by 0x25001B: vm_call0 (vm_eval.c:61)
==29929==    by 0x2509AD: rb_call0 (vm_eval.c:351)
==29929==  Address 0xe is not stack'd, malloc'd or (recently) free'd
==29929== 
load-re.rb:2: [BUG] Segmentation fault at 0x00000e
ruby 2.3.1p112 (2016-04-26 revision 54768) [i686-linux]

-- Control frame information -----------------------------------------------
c:0006 p:---- s:0017 e:000016 CFUNC  :initialize
c:0005 p:---- s:0015 e:000014 CFUNC  :new
c:0004 p:0036 s:0011 e:000010 BLOCK  load-re.rb:2 [FINISH]
c:0003 p:---- s:0008 e:000007 CFUNC  :open
c:0002 p:0024 s:0004 E:000c60 EVAL   load-re.rb:1 [FINISH]
c:0001 p:0000 s:0002 E:002708 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
load-re.rb:1:in `<main>'
load-re.rb:1:in `open'
load-re.rb:2:in `block in <main>'
load-re.rb:2:in `new'
load-re.rb:2:in `initialize'

-- Machine register context ------------------------------------------------
  GS: 0x0000000b  FS: 0x00000000  ES: 0x0000007b  DS: 0x0000007b EDI: 0xbee5a45c
 ESI: 0xbee5a27e EBP: 0xbee5a238 ESP: 0xbee5a210 EBX: 0x003ad000 EDX: 0x00000000
 ECX: 0x002a1dcb EAX: 0x00000002 TRA: 0x0000000e ERR: 0x00000004 EIP: 0x001b4a12
  CS: 0x00000073 EFL: 0x00000080 UES: 0x00000000  SS: 0x0000007b

-- C level backtrace information -------------------------------------------
/usr/local/bin/ruby(rb_print_backtrace+0x28) [0x25c05f] vm_dump.c:688
/usr/local/bin/ruby(rb_vm_bugreport+0xbf) [0x25c599] vm_dump.c:997
/usr/local/bin/ruby(rb_bug_context+0x7f) [0x2afe4c] error.c:435
/usr/local/bin/ruby(sigsegv+0x5c) [0x1d3bdc] signal.c:890
/lib/i386-linux-gnu/libpthread.so.0 [0x485f1e0]
/usr/local/bin/ruby(to_ascii+0x15) [0x1b4a12] regerror.c:209
/usr/local/bin/ruby(onig_error_code_to_str+0x93) [0x1b4c86] regerror.c:282
/usr/local/bin/ruby(make_regexp+0x82) [0x1a0ccb] re.c:876
/usr/local/bin/ruby(rb_reg_initialize+0x290) [0x1a479e] re.c:2546
/usr/local/bin/ruby(rb_reg_initialize_str+0xee) [0x1a4906] re.c:2571
/usr/local/bin/ruby(rb_reg_initialize_m+0x3c5) [0x1a5be4] re.c:3071
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call0_cfunc_with_frame+0x14d) [0x25016b] vm_eval.c:131
/usr/local/bin/ruby(vm_call0_cfunc+0x2d) [0x25022b] vm_eval.c:148
/usr/local/bin/ruby(vm_call0_body+0x156) [0x250383] vm_eval.c:186
/usr/local/bin/ruby(vm_call0+0x58) [0x25001c] vm_eval.c:61
/usr/local/bin/ruby(rb_call0+0xb5) [0x2509ae] vm_eval.c:351
/usr/local/bin/ruby(rb_call+0x4f) [0x25143f] vm_eval.c:637
/usr/local/bin/ruby(rb_funcallv+0x2e) [0x251ada] vm_eval.c:848
/usr/local/bin/ruby(rb_obj_call_init+0x43) [0x1236f0] eval.c:1307
/usr/local/bin/ruby(rb_class_new_instance+0x39) [0x17db0b] object.c:1856
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1f46) [0x248098] insns.def:995
/usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650
/usr/local/bin/ruby(invoke_block+0xbb) [0x255b66] vm.c:921
/usr/local/bin/ruby(invoke_block_from_c_0+0x1d8) [0x255ede] vm.c:971
/usr/local/bin/ruby(invoke_block_from_c_splattable+0x43) [0x255f83] vm.c:988
/usr/local/bin/ruby(vm_yield+0x4d) [0x2560bd] vm.c:1023
/usr/local/bin/ruby(rb_yield_0+0x2e) [0x251f10] vm_eval.c:1010
/usr/local/bin/ruby(rb_yield_1+0x19) [0x251f2f] vm_eval.c:1016
/usr/local/bin/ruby(rb_yield+0x2d) [0x251f5e] vm_eval.c:1026
/usr/local/bin/ruby(rb_ensure+0x10f) [0x122810] eval.c:901
/usr/local/bin/ruby(rb_io_s_open+0x5d) [0x1573c0] io.c:6384
/usr/local/bin/ruby(call_cfunc_m1+0x1f) [0x243160] vm_insnhelper.c:1459
/usr/local/bin/ruby(vm_call_cfunc_with_frame+0x165) [0x243b20] vm_insnhelper.c:1638
/usr/local/bin/ruby(vm_call_cfunc+0x82) [0x243c2d] vm_insnhelper.c:1733
/usr/local/bin/ruby(vm_call_method_each_type+0xa3) [0x24482d] vm_insnhelper.c:2022
/usr/local/bin/ruby(vm_call_method+0x6e) [0x244ebc] vm_insnhelper.c:2146
/usr/local/bin/ruby(vm_call_general+0x2d) [0x2450a7] vm_insnhelper.c:2189
/usr/local/bin/ruby(vm_exec_core+0x1da6) [0x247ef8] insns.def:964
/usr/local/bin/ruby(vm_exec+0xd2) [0x257b8e] vm.c:1650
/usr/local/bin/ruby(rb_iseq_eval_main+0x38) [0x25863b] vm.c:1893
/usr/local/bin/ruby(ruby_exec_internal+0x123) [0x121235] eval.c:245
/usr/local/bin/ruby(ruby_exec_node+0x28) [0x121343] eval.c:310
/usr/local/bin/ruby(ruby_run_node+0x38) [0x121311] eval.c:302
/usr/local/bin/ruby(main+0x68) [0x11f0b3] main.c:36

-- Other runtime information -----------------------------------------------

* Loaded script: load-re.rb

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
    5 /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
    6 /usr/local/lib/ruby/2.3.0/unicode_normalize.rb
    7 /usr/local/lib/ruby/2.3.0/i686-linux/rbconfig.rb
    8 /usr/local/lib/ruby/2.3.0/rubygems/compatibility.rb
    9 /usr/local/lib/ruby/2.3.0/rubygems/defaults.rb
   10 /usr/local/lib/ruby/2.3.0/rubygems/deprecate.rb
   11 /usr/local/lib/ruby/2.3.0/rubygems/errors.rb
   12 /usr/local/lib/ruby/2.3.0/rubygems/version.rb
   13 /usr/local/lib/ruby/2.3.0/rubygems/requirement.rb
   14 /usr/local/lib/ruby/2.3.0/rubygems/platform.rb
   15 /usr/local/lib/ruby/2.3.0/rubygems/basic_specification.rb
   16 /usr/local/lib/ruby/2.3.0/rubygems/stub_specification.rb
   17 /usr/local/lib/ruby/2.3.0/rubygems/util/list.rb
   18 /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
   19 /usr/local/lib/ruby/2.3.0/rubygems/specification.rb
   20 /usr/local/lib/ruby/2.3.0/rubygems/exceptions.rb
   21 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_gem.rb
   22 /usr/local/lib/ruby/2.3.0/monitor.rb
   23 /usr/local/lib/ruby/2.3.0/rubygems/core_ext/kernel_require.rb
   24 /usr/local/lib/ruby/2.3.0/rubygems.rb
   25 /usr/local/lib/ruby/2.3.0/rubygems/path_support.rb
   26 /usr/local/lib/ruby/2.3.0/rubygems/dependency.rb
   27 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/version.rb
   28 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/core_ext/name_error.rb
   29 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/levenshtein.rb
   30 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/jaro_winkler.rb
   31 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkable.rb
   32 /usr/local/lib/ruby/2.3.0/delegate.rb
   33 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   34 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   35 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   36 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   37 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/spell_checkers/null_checker.rb
   38 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean/formatter.rb
   39 /usr/local/lib/ruby/gems/2.3.0/gems/did_you_mean-1.0.0/lib/did_you_mean.rb

* Process memory map:

00108000-003aa000 r-xp 00000000 08:07 2498477    /usr/local/bin/ruby
003aa000-003ad000 r--p 002a1000 08:07 2498477    /usr/local/bin/ruby
003ad000-003ae000 rw-p 002a4000 08:07 2498477    /usr/local/bin/ruby
003ae000-003b7000 rw-p 00000000 00:00 0 
04000000-04020000 r-xp 00000000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
04020000-04021000 r--p 0001f000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
04021000-04022000 rw-p 00020000 08:07 917607     /lib/i386-linux-gnu/ld-2.19.so
04022000-04023000 rwxp 00000000 00:00 0 
04822000-04824000 rw-p 00000000 00:00 0 
04824000-04825000 r-xp 00000000 08:07 2110738    /usr/lib/valgrind/vgpreload_core-x86-linux.so
04825000-04826000 r--p 00000000 08:07 2110738    /usr/lib/valgrind/vgpreload_core-x86-linux.so
04826000-04827000 rw-p 00001000 08:07 2110738    /usr/lib/valgrind/vgpreload_core-x86-linux.so
04827000-04835000 r-xp 00000000 08:07 2110703    /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04835000-04836000 r--p 0000d000 08:07 2110703    /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04836000-04837000 rw-p 0000e000 08:07 2110703    /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so
04837000-04838000 r--p 00855000 08:07 2105916    /usr/lib/locale/locale-archive
04838000-04839000 ---p 00000000 00:00 0 
04839000-0483c000 rw-p 00000000 00:00 0 
0483c000-0483e000 r-xp 00000000 08:07 2631367    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
0483e000-0483f000 r--p 00001000 08:07 2631367    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
0483f000-04840000 rw-p 00002000 08:07 2631367    /usr/local/lib/ruby/2.3.0/i686-linux/enc/encdb.so
04840000-04843000 r-xp 00000000 08:07 2757170    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04843000-04844000 r--p 00002000 08:07 2757170    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04844000-04845000 rw-p 00003000 08:07 2757170    /usr/local/lib/ruby/2.3.0/i686-linux/enc/trans/transdb.so
04845000-0484c000 r-xp 00000000 08:07 2499539    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484c000-0484d000 r--p 00006000 08:07 2499539    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484d000-0484e000 rw-p 00007000 08:07 2499539    /usr/local/lib/ruby/2.3.0/i686-linux/stringio.so
0484e000-04850000 rw-p 00000000 00:00 0 
04850000-04868000 r-xp 00000000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
04868000-04869000 r--p 00018000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
04869000-0486a000 rw-p 00019000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
0486a000-0486c000 rw-p 00000000 00:00 0 
0486c000-0486f000 r-xp 00000000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
0486f000-04870000 r--p 00002000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
04870000-04871000 rw-p 00003000 08:07 917601     /lib/i386-linux-gnu/libdl-2.19.so
04871000-04879000 r-xp 00000000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
04879000-0487a000 r--p 00008000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
0487a000-0487b000 rw-p 00009000 08:07 917608     /lib/i386-linux-gnu/libcrypt-2.19.so
0487b000-048a2000 rw-p 00000000 00:00 0 
048a2000-048e6000 r-xp 00000000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
048e6000-048e7000 r--p 00043000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
048e7000-048e8000 rw-p 00044000 08:07 917509     /lib/i386-linux-gnu/libm-2.19.so
048e8000-04a90000 r-xp 00000000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
04a90000-04a92000 r--p 001a8000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
04a92000-04a93000 rw-p 001aa000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
04a93000-04a98000 rw-p 00000000 00:00 0 
04a98000-04e98000 rwxp 00000000 00:00 0 
04e98000-05098000 r--p 00000000 08:07 2105916    /usr/lib/locale/locale-archive
05098000-05898000 rwxp 00000000 00:00 0 
058b0000-058cc000 r-xp 00000000 08:07 917533     /lib/i386-linux-gnu/libgcc_s.so.1
058cc000-058cd000 rw-p 0001b000 08:07 917533     /lib/i386-linux-gnu/libgcc_s.so.1
058cd000-05d72000 r--s 00000000 08:07 2498477    /usr/local/bin/ruby
05d72000-05d93000 r--s 00000000 08:07 917596     /lib/i386-linux-gnu/libpthread-2.19.so
05d93000-05e28000 r--s 00000000 08:07 2098869    /usr/lib/debug/lib/i386-linux-gnu/libpthread-2.19.so
05e28000-05fd5000 r--s 00000000 08:07 917604     /lib/i386-linux-gnu/libc-2.19.so
38000000-3837a000 r-xp 00000000 08:07 2110679    /usr/lib/valgrind/memcheck-x86-linux
3837b000-3837d000 rw-p 0037a000 08:07 2110679    /usr/lib/valgrind/memcheck-x86-linux
3837d000-3946d000 rw-p 00000000 00:00 0 
61f2f000-683c2000 rwxp 00000000 00:00 0 
683c2000-683c4000 ---p 00000000 00:00 0 
683c4000-684c4000 rwxp 00000000 00:00 0          [stack:29929]
684c4000-684c6000 ---p 00000000 00:00 0 
684c6000-684c7000 rw-s 00000000 08:07 1708583    /tmp/vgdb-pipe-shared-mem-vgdb-29929-by-root-on-???
684c7000-6ad1d000 rwxp 00000000 00:00 0 
6ad20000-6ad98000 rwxp 00000000 00:00 0 
6ad99000-6ae95000 rwxp 00000000 00:00 0 
6ae95000-6ae97000 ---p 00000000 00:00 0 
6ae97000-6af97000 rwxp 00000000 00:00 0          [stack:30002]
6af97000-6af99000 ---p 00000000 00:00 0 
6af99000-6b0cc000 rwxp 00000000 00:00 0 
b77a9000-b77ab000 r--p 00000000 00:00 0          [vvar]
be65e000-bee5d000 rw-p 00000000 00:00 0 
bfe3e000-bfe5f000 rw-p 00000000 00:00 0 


[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

==29929== 
==29929== HEAP SUMMARY:
==29929==     in use at exit: 2,765,971 bytes in 32,030 blocks
==29929==   total heap usage: 52,398 allocs, 20,368 frees, 6,177,662 bytes allocated
==29929== 
==29929== LEAK SUMMARY:
==29929==    definitely lost: 312 bytes in 3 blocks
==29929==    indirectly lost: 3,540 bytes in 70 blocks
==29929==      possibly lost: 136 bytes in 1 blocks
==29929==    still reachable: 2,761,983 bytes in 31,956 blocks
==29929==         suppressed: 0 bytes in 0 blocks
==29929== Rerun with --leak-check=full to see details of leaked memory
==29929== 
==29929== For counts of detected and suppressed errors, rerun with: -v
==29929== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Killed
~~~

---Files--------------------------------
load-re.rb (79 Bytes)
badread-to_ascii (25 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>