id summary reporter owner description type status milestone component version severity resolution keywords cc 12818 regex: badly needs fuzzing dvyukov@… John Maddock "Hello, I've applied libFuzzer (http://tutorial.libfuzzer.info) to regexp library and found 5 heap-buffer-overflows, stack overflow, assert failure, use of uninitialized data, SIGSEGV, infinite loop, undefined shift, invalid enum value and a bunch of memory leaks in just half an hour: SUMMARY: AddressSanitizer: heap-buffer-overflow boost/regex/v4/perl_matcher.hpp:132:10 in char const* boost::re_detail_106300::re_skip_past_null(char const*) SUMMARY: AddressSanitizer: heap-buffer-overflow boost/regex/v4/perl_matcher.hpp:221:29 in __gnu_cxx::__normal_iterator boost::re_detail_106300::re_is_set_member<__gnu_cxx::__normal_iterator, char, boost::regex_traits >, unsigned int>(__gnu_cxx::__normal_iterator, __gnu_cxx::__normal_iterator, boost::re_detail_106300::re_set_long const*, boost::re_detail_106300::regex_data > > const&, bool) SUMMARY: AddressSanitizer: heap-buffer-overflow /sanitizer_common_interceptors.inc:278 in __interceptor_strlen SUMMARY: AddressSanitizer: heap-buffer-overflow boost/regex/v4/perl_matcher.hpp:166:19 in __gnu_cxx::__normal_iterator boost::re_detail_106300::re_is_set_member<__gnu_cxx::__normal_iterator, char, boost::regex_traits >, unsigned int>(__gnu_cxx::__normal_iterator, __gnu_cxx::__normal_iterator, boost::re_detail_106300::re_set_long const*, boost::re_detail_106300::regex_data > > const&, bool) a.out: boost/regex/v4/perl_matcher_common.hpp:606: bool boost::re_detail_106300::perl_matcher<__gnu_cxx::__normal_iterator >, std::allocator > > >, boost::regex_traits > >::match_backref() [BidiIterator = __gnu_cxx::__normal_iterator >, Allocator = std::allocator > > >, traits = boost::regex_traits >]: Assertion `r.first != r.second' failed. SUMMARY: MemorySanitizer: use-of-uninitialized-value boost/regex/v4/perl_matcher.hpp:166:13 in std::__1::__wrap_iter boost::re_detail_106300::re_is_set_member, char, boost::regex_traits >, unsigned int>(std::__1::__wrap_iter, std::__1::__wrap_iter, boost::re_detail_106300::re_set_long const*, boost::re_detail_106300::regex_data > > const&, bool) SUMMARY: AddressSanitizer: heap-buffer-overflow ./boost/regex/v4/basic_regex_parser.hpp:2599:68 in boost::re_detail_106300::basic_regex_parser > >::parse_perl_extension() boost/regex/v4/basic_regex_parser.hpp:2599:68: runtime error: load of value 56794092, which is not a valid value for type 'boost::re_detail_106300::syntax_element_type' Direct leak of 4096 byte(s) in 1 object(s) allocated from: SUMMARY: AddressSanitizer: stack-overflow ./boost/regex/v4/basic_regex_creator.hpp:1054 in boost::re_detail_106300::basic_regex_creator > >::create_startmap(boost::re_detail_106300::re_syntax_base*, unsigned char*, unsigned int*, unsigned char) SUMMARY: AddressSanitizer: SEGV ALARM: working on the last Unit for 17 seconds boost/regex/v4/basic_regex_parser.hpp:904:49: runtime error: shift exponent 325804978 is too large for 32-bit type 'unsigned int' Full reports and triggering inputs for each bug are attached. Test that I used is simply: int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { try { std::string str((char*)Data, Size); boost::regex e(str); boost::match_results what; boost::regex_match(str, what, e, boost::match_default | boost::match_partial); } catch (const std::exception&) {} return 0; } I would suggest to rerun the fuzzer after fixing these bugs as fuzzer was mostly choking on the existing bugs as they are easy to trigger. Also it can make sense to set up continuous fuzzing using https://github.com/google/oss-fuzz which will automatically test latest code." Bugs closed Boost 1.64.0 regex Boost 1.63.0 Problem fixed kcc@… aizatsky@… mmoroz@…