697381 – Null pointer dereference in regexp.c

Bug 697381 - Null pointer dereference in regexp.c

Summary: Null pointer dereference in regexp.c

Status:	RESOLVED FIXED

Alias:	None

Product:	MuJS
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	PC Linux

Importance:	P4 normal
Assignee:	Tor Andersson

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-11-28 23:21 UTC by DD
Modified:	2016-12-12 04:22 UTC (History)
CC List:	1 user (show)

See Also:
Customer:
Word Size:	---

Attachments
The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption (113 bytes, application/x-javascript) 2016-11-28 23:21 UTC, DD	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description DD 2016-11-28 23:21:22 UTC

Created attachment 13175 [details]
The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption

In regexp.c:

Line 817: g.prog = malloc(sizeof (Reprog));
Line 833: g.prog->flags = cflags;

There was no checking if g.proc is null

Attached the input javascript used to trigger the crash with low process memory of 25mb using ulimit -Sv 25000

Comment 1 DD 2016-12-12 03:03:51 UTC

Hi,

Any Update on this?

Comment 2 Tor Andersson 2016-12-12 04:22:53 UTC

Should be fixed in commit fd003eceda531e13fbdd1aeb6e9c73156496e569
Author: Tor Andersson <tor@ccxvii.net>
Date:   Fri Dec 2 14:56:20 2016 -0500

    Fix 697381: check allocation when compiling regular expressions.
    
    Also use allocator callback function.