Date: Fri, 13 Feb 2015 18:39:26 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Xin LI <delphij@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r278739 - head/lib/libc/regex Message-ID: <54DE993E.2050704@FreeBSD.org> In-Reply-To: <54DE98AC.6030309@FreeBSD.org> References: <201502140023.t1E0Nspc090570@svn.freebsd.org> <54DE98AC.6030309@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --XV4t4u5GLRr2JBPaELjg2ekmusK66dkmG Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable On 2/13/2015 6:37 PM, Bryan Drewery wrote: > On 2/13/2015 6:23 PM, Xin LI wrote: >> Author: delphij >> Date: Sat Feb 14 00:23:53 2015 >> New Revision: 278739 >> URL: https://svnweb.freebsd.org/changeset/base/278739 >> >> Log: >> Disallow pattern spaces which would cause intermediate calculations = to >> overflow size_t. >> =20 >> Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c d= illon) >> Security: CERT VU#695940 >> MFC after: 3 days >> >> Modified: >> head/lib/libc/regex/regcomp.c >> >> Modified: head/lib/libc/regex/regcomp.c >> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >> --- head/lib/libc/regex/regcomp.c Sat Feb 14 00:03:43 2015 (r278738) >> +++ head/lib/libc/regex/regcomp.c Sat Feb 14 00:23:53 2015 (r278739) >> @@ -192,6 +192,7 @@ regcomp(regex_t * __restrict preg, >> struct parse *p =3D &pa; >> int i; >> size_t len; >> + size_t maxlen; >> #ifdef REDEBUG >> # define GOODFLAGS(f) (f) >> #else >> @@ -213,7 +214,23 @@ regcomp(regex_t * __restrict preg, >> g =3D (struct re_guts *)malloc(sizeof(struct re_guts)); >> if (g =3D=3D NULL) >> return(REG_ESPACE); >> + /* >> + * Limit the pattern space to avoid a 32-bit overflow on buffer >> + * extension. Also avoid any signed overflow in case of conversion >> + * so make the real limit based on a 31-bit overflow. >> + * >> + * Likely not applicable on 64-bit systems but handle the case >> + * generically (who are we to stop people from using ~715MB+ >> + * patterns?). >> + */ >> + maxlen =3D ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3; >> + if (len >=3D maxlen) { >> + free((char *)g); >=20 > I was planning to submit a patch for review to remove all of this > casting / and discuss. To be clear, I only mean in free(3) calls. >=20 > In this example the malloc is casted to struct re_gets* but the free is= > casted to char *. Why different and why cast in free at all? >=20 >=20 >=20 --=20 Regards, Bryan Drewery --XV4t4u5GLRr2JBPaELjg2ekmusK66dkmG Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU3pk+AAoJEDXXcbtuRpfP9ekH/3LbKjYD+FTCcFbK76jSwXia /EOPoJFpXT4IUV/PJqLh3F1BVZ0bKD0Q7niqSvkemw63bFnH5qRaYzhFLLv4+6ix hCeOrZo+dA+UPZ9utfXTv/TTOnLWX3z5BPR52GK84ISqZqWyO+Zb494o9iGJNZKy BAZsXPqj16Q68E7BNfN3aVbN6bGD0I1JV9bgJDnHgK00a9YUoiDffuD9lHVAZOay yMlokROC2rBGBKe01GuCp/xs3rHuw56oJLT86eqopzvrCvLvEv708W9nRuo5j3ML JMFlGKzbef1NDmXanfM4yDYF7fZOK/qZlSbBihes0AHn47DgWqy5bDI22eTa2b4= =utS4 -----END PGP SIGNATURE----- --XV4t4u5GLRr2JBPaELjg2ekmusK66dkmG--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DE993E.2050704>