[BusyBox] bug#1223: grep segfaults with multiple regexps and CLEAN_UP enabled

Steve Merrifield steve at labyrinth.net.au
Mon Nov 19 01:15:02 UTC 2001 

Package: busybox
Version: 0.61.pre
 
If I set CONFIG_FEATURE_CLEAN_UP, and use more than one -e parameter,
grep
segfaults. With only one -e parameter, it works fine.  I am using the
latest
CVS findutils/grep.c (20011119)
 
sjm ~/busybox > ./busybox grep -e strdup -e regcomp findutils/grep.c
extern void xregcomp(regex_t *preg, const char *regex, int cflags); /*
in busybox.h */
                                        before_buf[curpos] =
xstrdup(line);
        xregcomp(&regexes[nregexes-1], restr, reflags);
Segmentation fault (core dumped)
sjm ~/busybox >
 
 
In contrast, standard GNU grep works as expected with multiple -e's:
 
sjm ~/busybox > grep -e strdup -e regcomp findutils/grep.c
extern void xregcomp(regex_t *preg, const char *regex, int cflags); /*
in busybox.h */
                                        before_buf[curpos] =
xstrdup(line);
        xregcomp(&regexes[nregexes-1], restr, reflags);
sjm ~/busybox >
 
busybox was linked with the following libraries:
 
sjm ~/busybox > ldd busybox
        libc.so.6 => /lib/libc.so.6
        /lib/ld-linux.so.2 => /lib/ld-linux.so.2
 
 
Using strace shows that it dies when it tries to free memory:
 
read(3, "", 4096)                       = 0
close(3)                                = 0
munmap(0x40015000, 4096)                = 0
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
                                                                             
This occurs in the destory_regexes() function:
 
        while (--nregexes >= 0) {
                regfree(&regexes[nregexes]);
                free(&regexes[nregexes]);
        }
 
If I comment out the free() it works fine.  Why? I've been down several
paths - printing allocated/deallocated addresses, not using realloc in
add_regex(), but using malloc(big) in main etc... (I initially thought
it was trying to free a non-allocated block, but my tests without
realloc
and using malloc(big) show this not to be the case).
 
When there is only one -e parameter, free is called and is successful.
It
is on the second call to free that it dies. Similar regfree() + free()
calls
are used in editors/sed.c and that works fine.
 
This code was added in diffs 1.59 and 1.60
 
I'd be happy to work on it and provide a patch, but I've come to a
dead-end.
I need some help please :)

Thanks,
steve

More information about the busybox mailing list