On 1/2/20 11:54 AM, liqingqing wrote:
> Hello Florian and all glibc developers.
> 
> I wonder ask you that do we have any plan or good ways to fix up the bug as below:
> 
> 
> https://sourceware.org/bugzilla/show_bug.cgi?id=24269
> 
> Dhiraj 2019-02-26 06:24:20 UTC
> While fuzzing the regex module via hongfuzz
> 
> $ echo D | grep -E "$(printf '(\0|)(\\1\\1)*')"
>   bash: warning: command substitution: ignored null byte in input
>   Segmentation fault (core dumped)
> 
> ==6453== Process terminating with default action of signal 13 (SIGPIPE)
> ==6453==    at 0x4F4C154: write (write.c:27)
> ==6453==    by 0x4EC71BC: _IO_file_write@@GLIBC_2.2.5 (fileops.c:1203)
> ==6453==    by 0x4EC8F50: new_do_write (fileops.c:457)
> ==6453==    by 0x4EC8F50: _IO_do_write@@GLIBC_2.2.5 (fileops.c:433)
> ==6453==    by 0x4EC6787: _IO_file_sync@@GLIBC_2.2.5 (fileops.c:813)
> ==6453==    by 0x4EBA87C: fflush (iofflush.c:40)
> ==6453==    by 0x10CE73: ??? (in /bin/echo)
> ==6453==    by 0x10C939: ??? (in /bin/echo)
> ==6453==    by 0x10A221: ??? (in /bin/echo)
> ==6453==    by 0x4E7F040: __run_exit_handlers (exit.c:108)
> ==6453==    by 0x4E7F139: exit (exit.c:139)
> ==6453==    by 0x4E5DB9D: (below main) (libc-start.c:344)
> ==6453==
> 
> OS: Linux ubuntu 4.15.0-45-generic #48-Ubuntu SMP Tue Jan 29 16:28:13 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

Meanwhile grep (or libc) seems to exit gracefully:

$ echo D | grep -E "$(printf '(\0|)(\\1\\1)*')"
bash: warning: command substitution: ignored null byte in input
grep: stack overflow

Here: Debian unstable, grep (GNU grep) 3.3

Regards, Tim