Bug 697381 - Null pointer dereference in regexp.c
Null pointer dereference in regexp.c
Status: RESOLVED FIXED
Product: MuJS
Classification: Unclassified
Component: general
unspecified
PC Linux
: P4 normal
Assigned To: Tor Andersson
Bug traffic
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-11-28 23:21 UTC by DD
Modified: 2016-12-12 04:22 UTC (History)
1 user (show)

See Also:
Customer:
Word Size: ---


Attachments
The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption (113 bytes, application/x-javascript)
2016-11-28 23:21 UTC, DD
Details

Note You need to log in before you can comment on or make changes to this bug.
Description DD 2016-11-28 23:21:22 UTC
Created attachment 13175 [details]
The input javascript file that is causing the crash with low process memory setting using ulimit as described in desciption

In regexp.c:

Line 817: g.prog = malloc(sizeof (Reprog));
Line 833: g.prog->flags = cflags;

There was no checking if g.proc is null

Attached the input javascript used to trigger the crash with low process memory of 25mb using ulimit -Sv 25000
Comment 1 DD 2016-12-12 03:03:51 UTC
Hi,

Any Update on this?
Comment 2 Tor Andersson 2016-12-12 04:22:53 UTC
Should be fixed in commit fd003eceda531e13fbdd1aeb6e9c73156496e569
Author: Tor Andersson <tor@ccxvii.net>
Date:   Fri Dec 2 14:56:20 2016 -0500

    Fix 697381: check allocation when compiling regular expressions.
    
    Also use allocator callback function.