Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2:Update
tre
CVE-2016-8859.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2016-8859.patch of Package tre
From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001 From: Rich Felker <dalias@aerifal.cx> Date: Thu, 6 Oct 2016 18:34:58 -0400 Subject: fix missing integer overflow checks in regexec buffer size computations most of the possible overflows were already ruled out in practice by regcomp having already succeeded performing larger allocations. however at least the num_states*num_tags multiplication can clearly overflow in practice. for safety, check them all, and use the proper type, size_t, rather than int. also improve comments, use calloc in place of malloc+memset, and remove bogus casts. --- src/regex/regexec.c | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) Note: patch was modified to apply to tre, parts were taken from https://github.com/laurikari/tre/issues/37 --- a/lib/tre-match-parallel.c +++ b/lib/tre-match-parallel.c @@ -59,6 +59,7 @@ char *alloca (); #ifdef HAVE_MALLOC_H #include <malloc.h> #endif /* HAVE_MALLOC_H */ +#include <stdint.h> #include "tre-internal.h" #include "tre-match-utils.h" @@ -150,11 +151,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t * /* Allocate memory for temporary data required for matching. This needs to be done for every matching operation to be thread safe. This allocates - everything in a single large block from the stack frame using alloca() - or with malloc() if alloca is unavailable. */ + everything in a single large block with calloc(). */ { - int tbytes, rbytes, pbytes, xbytes, total_bytes; + size_t tbytes, rbytes, pbytes, xbytes, total_bytes; char *tmp_buf; + + /* Ensure that tbytes and xbytes*num_states cannot overflow, and that + * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */ + if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states)) + return REG_BADPAT; + + /* Likewise check rbytes. */ + if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next))) + return REG_BADPAT; + + /* Likewise check pbytes. */ + if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos))) + return REG_BADPAT; + /* Compute the length of the block we need. */ tbytes = sizeof(*tmp_tags) * num_tags; rbytes = sizeof(*reach_next) * (tnfa->num_states + 1); @@ -168,11 +182,11 @@ tre_tnfa_run_parallel(const tre_tnfa_t * #ifdef TRE_USE_ALLOCA buf = alloca(total_bytes); #else /* !TRE_USE_ALLOCA */ - buf = xmalloc((unsigned)total_bytes); + buf = xmalloc(total_bytes); #endif /* !TRE_USE_ALLOCA */ if (buf == NULL) return REG_ESPACE; - memset(buf, 0, (size_t)total_bytes); + memset(buf, 0, total_bytes); /* Get the various pointers within tmp_buf (properly aligned). */ tmp_tags = (void *)buf;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor