svn commit: r278739 - head/lib/libc/regex

Bryan Drewery bdrewery at FreeBSD.org
Sat Feb 14 00:36:59 UTC 2015 

On 2/13/2015 6:23 PM, Xin LI wrote:
> Author: delphij
> Date: Sat Feb 14 00:23:53 2015
> New Revision: 278739
> URL: https://svnweb.freebsd.org/changeset/base/278739
> 
> Log:
>   Disallow pattern spaces which would cause intermediate calculations to
>   overflow size_t.
>   
>   Obtained from:	DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon)
>   Security:	CERT VU#695940
>   MFC after:	3 days
> 
> Modified:
>   head/lib/libc/regex/regcomp.c
> 
> Modified: head/lib/libc/regex/regcomp.c
> ==============================================================================
> --- head/lib/libc/regex/regcomp.c	Sat Feb 14 00:03:43 2015	(r278738)
> +++ head/lib/libc/regex/regcomp.c	Sat Feb 14 00:23:53 2015	(r278739)
> @@ -192,6 +192,7 @@ regcomp(regex_t * __restrict preg,
>  	struct parse *p = &pa;
>  	int i;
>  	size_t len;
> +	size_t maxlen;
>  #ifdef REDEBUG
>  #	define	GOODFLAGS(f)	(f)
>  #else
> @@ -213,7 +214,23 @@ regcomp(regex_t * __restrict preg,
>  	g = (struct re_guts *)malloc(sizeof(struct re_guts));
>  	if (g == NULL)
>  		return(REG_ESPACE);
> +	/*
> +	 * Limit the pattern space to avoid a 32-bit overflow on buffer
> +	 * extension.  Also avoid any signed overflow in case of conversion
> +	 * so make the real limit based on a 31-bit overflow.
> +	 *
> +	 * Likely not applicable on 64-bit systems but handle the case
> +	 * generically (who are we to stop people from using ~715MB+
> +	 * patterns?).
> +	 */
> +	maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3;
> +	if (len >= maxlen) {
> +		free((char *)g);

I was planning to submit a patch for review to remove all of this
casting / and discuss.

In this example the malloc is casted to struct re_gets* but the free is
casted to char *. Why different and why cast in free at all?



-- 
Regards,
Bryan Drewery

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-src-head/attachments/20150213/e76e5b3f/attachment.sig>

More information about the svn-src-head mailing list