From mboxrd@z Thu Jan  1 00:00:00 1970
X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/10039
Path: news.gmane.org!not-for-mail
From: Szabolcs Nagy <nsz@port70.net>
Newsgroups: gmane.linux.lib.musl.general
Subject: Re: uninitialized variable
Date: Fri, 20 May 2016 22:44:36 +0200
Message-ID: <20160520204436.GH22574@port70.net>
References: <e8f9f75f-9aef-e771-e6ad-4045e6fcbf1e@cs.utah.edu>
Reply-To: musl@lists.openwall.com
NNTP-Posting-Host: plane.gmane.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: ger.gmane.org 1463777107 3499 80.91.229.3 (20 May 2016 20:45:07 GMT)
X-Complaints-To: usenet@ger.gmane.org
NNTP-Posting-Date: Fri, 20 May 2016 20:45:07 +0000 (UTC)
To: musl@lists.openwall.com
Original-X-From: musl-return-10052-gllmg-musl=m.gmane.org@lists.openwall.com Fri May 20 22:45:06 2016
Return-path: <musl-return-10052-gllmg-musl=m.gmane.org@lists.openwall.com>
Envelope-to: gllmg-musl@m.gmane.org
Original-Received: from mother.openwall.net ([195.42.179.200])
	by plane.gmane.org with smtp (Exim 4.69)
	(envelope-from <musl-return-10052-gllmg-musl=m.gmane.org@lists.openwall.com>)
	id 1b3rI1-0006uH-9D
	for gllmg-musl@m.gmane.org; Fri, 20 May 2016 22:44:57 +0200
Original-Received: (qmail 7578 invoked by uid 550); 20 May 2016 20:44:48 -0000
Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm
Precedence: bulk
List-Post: <mailto:musl@lists.openwall.com>
List-Help: <mailto:musl-help@lists.openwall.com>
List-Unsubscribe: <mailto:musl-unsubscribe@lists.openwall.com>
List-Subscribe: <mailto:musl-subscribe@lists.openwall.com>
List-ID: <musl.lists.openwall.com>
Original-Received: (qmail 7560 invoked from network); 20 May 2016 20:44:47 -0000
Mail-Followup-To: musl@lists.openwall.com
Content-Disposition: inline
In-Reply-To: <e8f9f75f-9aef-e771-e6ad-4045e6fcbf1e@cs.utah.edu>
User-Agent: Mutt/1.5.24 (2015-08-30)
Xref: news.gmane.org gmane.linux.lib.musl.general:10039
Archived-At: <http://permalink.gmane.org/gmane.linux.lib.musl.general/10039>

* John Regehr <regehr@cs.utah.edu> [2016-05-19 17:28:58 +0200]:
> This call:
> 
> regcomp(&r, "^(b+|||(CW*)*|){5,}{53}*+)^?5,}", REG_EXTENDED);
> 
> ends up using uninitialized memory like so:
> 
> regcomp.c:221:[kernel] warning: accessing uninitialized left-value:
>                   assert \initialized(&right->num_submatches);
>                   stack: tre_ast_new_catenation :: regcomp.c:1764 <-
>                          tre_copy_ast :: regcomp.c:1916 <-
>                          tre_expand_ast :: regcomp.c:2771 <-
>                          musl_regcomp :: foo.c:9 <-
>                          main

thanks

it seems tre_add_tag* allocates a node
without initializing this field.

(nodes are supposed to be allocated by
dedicated functions based on node type,
those do the init.)

it seems this is wrong in the original tre
code too.

the ere "(a){2,}" should touch that code path.

i guess the right fix is to set the field
to 0, but i will have to look at the logic
more.

> 
> Having crap in this field seems bad since it is used to compute a malloc
> size.
> 
> John