Bug 697381

Summary: Null pointer dereference in regexp.c
Product: MuJS Reporter: DD <dileep.chinu>
Component: generalAssignee: Tor Andersson <tor.andersson>
Status: RESOLVED FIXED QA Contact: Bug traffic <tech>
Severity: normal    
Priority: P4 CC: dileep.chinu
Version: unspecified   
Hardware: PC   
OS: Linux   
Customer: Word Size: ---
Attachments: The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption

Description DD 2016-11-28 23:21:22 UTC
Created attachment 13175 [details]
The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption

In regexp.c:

Line 817: g.prog = malloc(sizeof (Reprog));
Line 833: g.prog->flags = cflags;

There was no checking if g.proc is null

Attached the input javascript used to trigger the crash with low process memory of 25mb using ulimit -Sv 25000
Comment 1 DD 2016-12-12 03:03:51 UTC
Hi,

Any Update on this?
Comment 2 Tor Andersson 2016-12-12 04:22:53 UTC
Should be fixed in commit fd003eceda531e13fbdd1aeb6e9c73156496e569
Author: Tor Andersson <tor@ccxvii.net>
Date:   Fri Dec 2 14:56:20 2016 -0500

    Fix 697381: check allocation when compiling regular expressions.
    
    Also use allocator callback function.