Date: Fri, 13 Feb 2015 18:37:00 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Xin LI <delphij@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r278739 - head/lib/libc/regex Message-ID: <54DE98AC.6030309@FreeBSD.org> In-Reply-To: <201502140023.t1E0Nspc090570@svn.freebsd.org> References: <201502140023.t1E0Nspc090570@svn.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --uTloE2vHloF2tHifITEeF6uufJiomIxOU Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2/13/2015 6:23 PM, Xin LI wrote: > Author: delphij > Date: Sat Feb 14 00:23:53 2015 > New Revision: 278739 > URL: https://svnweb.freebsd.org/changeset/base/278739 >=20 > Log: > Disallow pattern spaces which would cause intermediate calculations t= o > overflow size_t. > =20 > Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c di= llon) > Security: CERT VU#695940 > MFC after: 3 days >=20 > Modified: > head/lib/libc/regex/regcomp.c >=20 > Modified: head/lib/libc/regex/regcomp.c > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D > --- head/lib/libc/regex/regcomp.c Sat Feb 14 00:03:43 2015 (r278738) > +++ head/lib/libc/regex/regcomp.c Sat Feb 14 00:23:53 2015 (r278739) > @@ -192,6 +192,7 @@ regcomp(regex_t * __restrict preg, > struct parse *p =3D &pa; > int i; > size_t len; > + size_t maxlen; > #ifdef REDEBUG > # define GOODFLAGS(f) (f) > #else > @@ -213,7 +214,23 @@ regcomp(regex_t * __restrict preg, > g =3D (struct re_guts *)malloc(sizeof(struct re_guts)); > if (g =3D=3D NULL) > return(REG_ESPACE); > + /* > + * Limit the pattern space to avoid a 32-bit overflow on buffer > + * extension. Also avoid any signed overflow in case of conversion > + * so make the real limit based on a 31-bit overflow. > + * > + * Likely not applicable on 64-bit systems but handle the case > + * generically (who are we to stop people from using ~715MB+ > + * patterns?). > + */ > + maxlen =3D ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3; > + if (len >=3D maxlen) { > + free((char *)g); I was planning to submit a patch for review to remove all of this casting / and discuss. In this example the malloc is casted to struct re_gets* but the free is casted to char *. Why different and why cast in free at all? --=20 Regards, Bryan Drewery --uTloE2vHloF2tHifITEeF6uufJiomIxOU Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU3pitAAoJEDXXcbtuRpfPTRYH/2m4BQpQq5cS9w9U2P4vo/al Ka4lJYfbB6kY6QvEWO3A6OmvBwSGQFgm3nfSO8+Gc6o0ObkHvlJvuoaaYOEGyaBJ JJ3d4jfME10R+H11SI/f19BWZJxDCdwOdV0yF3lmTG1pGM/XCNHt8vfZmKCONp3z LOKrdZ4QU4ErI5HYkPBOPYrT7CD+Sv9744Um/ME1UE3ahOBDILMqgJxtvKVV+iCB /j3LzzH0nVpc79KWRnEDgzJQP8PJqVsZPrKf2ynpqb6YRN16zuWxV3qs61TYlewZ zfkImFbcNzIuWU/hg/gO2Q7hstCMyBHr59QvaUh5xRMB/un3xOci7TAyq6DR37s= =0uVo -----END PGP SIGNATURE----- --uTloE2vHloF2tHifITEeF6uufJiomIxOU--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DE98AC.6030309>