From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!.POSTED!not-for-mail From: npostavs@users.sourceforge.net Newsgroups: gmane.emacs.bugs Subject: bug#24751: 26.0.50; Regex stack overflow not detected properly (gets "Variable binding depth exceeds max-specpdl-size") Date: Sat, 05 Nov 2016 15:34:29 -0400 Message-ID: <87mvhdoh4q.fsf@users.sourceforge.net> References: <87twc6tl0i.fsf@users.sourceforge.net> <83h97nlknj.fsf@gnu.org> NNTP-Posting-Host: blaine.gmane.org Mime-Version: 1.0 Content-Type: text/plain X-Trace: blaine.gmane.org 1478374470 25156 195.159.176.226 (5 Nov 2016 19:34:30 GMT) X-Complaints-To: usenet@blaine.gmane.org NNTP-Posting-Date: Sat, 5 Nov 2016 19:34:30 +0000 (UTC) User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/25.1 (gnu/linux) Cc: 24751@debbugs.gnu.org To: Eli Zaretskii Original-X-From: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Sat Nov 05 20:34:26 2016 Return-path: Envelope-to: geb-bug-gnu-emacs@m.gmane.org Original-Received: from lists.gnu.org ([208.118.235.17]) by blaine.gmane.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c36jC-000456-4Y for geb-bug-gnu-emacs@m.gmane.org; Sat, 05 Nov 2016 20:34:10 +0100 Original-Received: from localhost ([::1]:55959 helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c36jF-0001aa-4H for geb-bug-gnu-emacs@m.gmane.org; Sat, 05 Nov 2016 15:34:13 -0400 Original-Received: from eggs.gnu.org ([2001:4830:134:3::10]:50189) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1c36j8-0001aA-1g for bug-gnu-emacs@gnu.org; Sat, 05 Nov 2016 15:34:06 -0400 Original-Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1c36j4-00026P-Td for bug-gnu-emacs@gnu.org; Sat, 05 Nov 2016 15:34:06 -0400 Original-Received: from debbugs.gnu.org ([208.118.235.43]:58982) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1c36j4-00025m-Pb for bug-gnu-emacs@gnu.org; Sat, 05 Nov 2016 15:34:02 -0400 Original-Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1c36j4-0003jJ-FX for bug-gnu-emacs@gnu.org; Sat, 05 Nov 2016 15:34:02 -0400 X-Loop: help-debbugs@gnu.org Resent-From: npostavs@users.sourceforge.net Original-Sender: "Debbugs-submit" Resent-CC: bug-gnu-emacs@gnu.org Resent-Date: Sat, 05 Nov 2016 19:34:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24751 X-GNU-PR-Package: emacs X-GNU-PR-Keywords: Original-Received: via spool by 24751-submit@debbugs.gnu.org id=B24751.147837443114321 (code B ref 24751); Sat, 05 Nov 2016 19:34:02 +0000 Original-Received: (at 24751) by debbugs.gnu.org; 5 Nov 2016 19:33:51 +0000 Original-Received: from localhost ([127.0.0.1]:46148 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c36it-0003iu-7V for submit@debbugs.gnu.org; Sat, 05 Nov 2016 15:33:51 -0400 Original-Received: from mail-it0-f41.google.com ([209.85.214.41]:37555) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1c36ir-0003ih-Eh for 24751@debbugs.gnu.org; Sat, 05 Nov 2016 15:33:49 -0400 Original-Received: by mail-it0-f41.google.com with SMTP id u205so45587134itc.0 for <24751@debbugs.gnu.org>; Sat, 05 Nov 2016 12:33:49 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=iEioWHfRLJylDpvygS+8hbCI4mYJCsXuL1HqKE/fOtI=; b=iMLA9/WwZv8+TxEGMycnA60I0FfM0wBedSp2+PCW8RiHaK+IGlrF8kgy56yX9AuTdz f0dgdRUsFad+6QEOVMpbynKfIbeIYDVJ6yB8nEVVeaz0WGVwLkp9RDY5rmVIE8JfhCsO Nc2DNTUUVn6eclVrEXIM+W/Ow81Fz/k6ISuxdswzHbCakSTqoTKpd8QjiszkN9hKBNHp 9/vvwx2wLY1slkpZZuNKsBrIPJS8Uj9z4TZntw9rBDlpR5y+BDdx4GtggjV4u9sM+Mrg D0sSXsyUi946q42eyNprXjRTbUBUUsOtSQNdueW77Gjh7qAfoAR1OyxSbI1XbqNyH9D6 578Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:sender:from:to:cc:subject:references:date :in-reply-to:message-id:user-agent:mime-version; bh=iEioWHfRLJylDpvygS+8hbCI4mYJCsXuL1HqKE/fOtI=; b=GbVKnk2GoinU2x0iK47dvJ5QA11Fgk2vnThnFnTrxteT5VRUVFAitR3dWU8QcOPHXs FysXk/aWKbk+4LOyoG/gp9iAC+FlstPLQme7wkqG3/EwMNxm+MaxNZIrKRmFx1TeGb26 /2PdoeqKaXfuLXXunPPUEFUG4wUyxE0VaOrcJl4/0VgRZYJff/sIL4Fd6QlIXUaxrvxZ PM+dMD7X+VU3z9J8HZzDVKjTuxKvvACDVYWhUFEkqEtPTpanntJNSDXUjbdlcHLxr0ri MDKzzUOt1Tae4YTMD9r1CRFErrVhLhj0Ai7jPT5NAvC7pL5Y1QwS5UpzZCG8cpQCAmRw oAyA== X-Gm-Message-State: ABUngvfedH+GghUjHflce4BLY3NI/cRmy6LjlH/fJGJxz9/WxVrQIO3rpmxpGQ1KYJbNng== X-Received: by 10.36.73.134 with SMTP id e6mr1887952itd.109.1478374423549; Sat, 05 Nov 2016 12:33:43 -0700 (PDT) Original-Received: from zony ([45.2.7.130]) by smtp.googlemail.com with ESMTPSA id u18sm1105651ita.2.2016.11.05.12.33.42 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 05 Nov 2016 12:33:42 -0700 (PDT) In-Reply-To: <83h97nlknj.fsf@gnu.org> (Eli Zaretskii's message of "Fri, 04 Nov 2016 10:22:08 +0200") X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-Received-From: 208.118.235.43 X-BeenThere: bug-gnu-emacs@gnu.org List-Id: "Bug reports for GNU Emacs, the Swiss army knife of text editors" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: bug-gnu-emacs-bounces+geb-bug-gnu-emacs=m.gmane.org@gnu.org Original-Sender: "bug-gnu-emacs" Xref: news.gmane.org gmane.emacs.bugs:125381 Archived-At: Eli Zaretskii writes: >> From: npostavs@users.sourceforge.net >> Date: Thu, 20 Oct 2016 23:54:05 -0400 >> >> So we we might want to fix the re_max_failures setting in main, but it >> doesn't quite make sense to me that GROW_FAIL_STACK relies on >> re_max_failures being a multiple of (sizeof (fail_stack_elt_t)). At the >> definition of TYPICAL_FAILURE_SIZE we have >> >> /* Estimate the size of data pushed by a typical failure stack entry. >> An estimate is all we need, because all we use this for >> is to choose a limit for how big to make the failure stack. */ >> /* BEWARE, the value `20' is hard-coded in emacs.c:main(). */ >> #define TYPICAL_FAILURE_SIZE 20 >> >> Why do we use an "estimate" here? What's wrong with just using >> (re_max_failures * sizeof (fail_stack_elt_t)) as the limit? Or should >> the limit actually be (re_max_failures * TYPICAL_FAILURE_SIZE * sizeof >> (fail_stack_elt_t))? > > I think it should be the latter, indeed. > > Can you propose a patch along those lines that would remove the > infloop in ENSURE_FAIL_STACK? > > Thanks. The below seems to work, but effectively increases the size of the failure stack (so the sample file size has to be increased 8-fold to get a regex stack overflow). Strangely, changing the value in the definition of re_max_failures doesn't seem to have any effect, it stays 40000 regardless. I am quite confused. diff --git i/src/regex.c w/src/regex.c index 1c6c9e5..163c5b4 100644 --- i/src/regex.c +++ w/src/regex.c @@ -1320,19 +1320,22 @@ WEAK_ALIAS (__re_set_syntax, re_set_syntax) #define GROW_FAIL_STACK(fail_stack) \ (((fail_stack).size * sizeof (fail_stack_elt_t) \ - >= re_max_failures * TYPICAL_FAILURE_SIZE) \ + >= re_max_failures * sizeof (fail_stack_elt_t) \ + * TYPICAL_FAILURE_SIZE) \ ? 0 \ : ((fail_stack).stack \ = REGEX_REALLOCATE_STACK ((fail_stack).stack, \ (fail_stack).size * sizeof (fail_stack_elt_t), \ - min (re_max_failures * TYPICAL_FAILURE_SIZE, \ + min (re_max_failures * sizeof (fail_stack_elt_t) \ + * TYPICAL_FAILURE_SIZE, \ ((fail_stack).size * sizeof (fail_stack_elt_t) \ * FAIL_STACK_GROWTH_FACTOR))), \ \ (fail_stack).stack == NULL \ ? 0 \ : ((fail_stack).size \ - = (min (re_max_failures * TYPICAL_FAILURE_SIZE, \ + = (min (re_max_failures * sizeof (fail_stack_elt_t) \ + * TYPICAL_FAILURE_SIZE, \ ((fail_stack).size * sizeof (fail_stack_elt_t) \ * FAIL_STACK_GROWTH_FACTOR)) \ / sizeof (fail_stack_elt_t)), \