Date: Fri, 13 Feb 2015 18:39:26 -0600 From: Bryan Drewery <bdrewery@FreeBSD.org> To: Xin LI <delphij@FreeBSD.org>, src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: Re: svn commit: r278739 - head/lib/libc/regex Message-ID: <54DE993E.2050704@FreeBSD.org> In-Reply-To: <54DE98AC.6030309@FreeBSD.org> References: <201502140023.t1E0Nspc090570@svn.freebsd.org> <54DE98AC.6030309@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[-- Attachment #1 --] On 2/13/2015 6:37 PM, Bryan Drewery wrote: > On 2/13/2015 6:23 PM, Xin LI wrote: >> Author: delphij >> Date: Sat Feb 14 00:23:53 2015 >> New Revision: 278739 >> URL: https://svnweb.freebsd.org/changeset/base/278739 >> >> Log: >> Disallow pattern spaces which would cause intermediate calculations to >> overflow size_t. >> >> Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c dillon) >> Security: CERT VU#695940 >> MFC after: 3 days >> >> Modified: >> head/lib/libc/regex/regcomp.c >> >> Modified: head/lib/libc/regex/regcomp.c >> ============================================================================== >> --- head/lib/libc/regex/regcomp.c Sat Feb 14 00:03:43 2015 (r278738) >> +++ head/lib/libc/regex/regcomp.c Sat Feb 14 00:23:53 2015 (r278739) >> @@ -192,6 +192,7 @@ regcomp(regex_t * __restrict preg, >> struct parse *p = &pa; >> int i; >> size_t len; >> + size_t maxlen; >> #ifdef REDEBUG >> # define GOODFLAGS(f) (f) >> #else >> @@ -213,7 +214,23 @@ regcomp(regex_t * __restrict preg, >> g = (struct re_guts *)malloc(sizeof(struct re_guts)); >> if (g == NULL) >> return(REG_ESPACE); >> + /* >> + * Limit the pattern space to avoid a 32-bit overflow on buffer >> + * extension. Also avoid any signed overflow in case of conversion >> + * so make the real limit based on a 31-bit overflow. >> + * >> + * Likely not applicable on 64-bit systems but handle the case >> + * generically (who are we to stop people from using ~715MB+ >> + * patterns?). >> + */ >> + maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3; >> + if (len >= maxlen) { >> + free((char *)g); > > I was planning to submit a patch for review to remove all of this > casting / and discuss. To be clear, I only mean in free(3) calls. > > In this example the malloc is casted to struct re_gets* but the free is > casted to char *. Why different and why cast in free at all? > > > -- Regards, Bryan Drewery [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJU3pk+AAoJEDXXcbtuRpfP9ekH/3LbKjYD+FTCcFbK76jSwXia /EOPoJFpXT4IUV/PJqLh3F1BVZ0bKD0Q7niqSvkemw63bFnH5qRaYzhFLLv4+6ix hCeOrZo+dA+UPZ9utfXTv/TTOnLWX3z5BPR52GK84ISqZqWyO+Zb494o9iGJNZKy BAZsXPqj16Q68E7BNfN3aVbN6bGD0I1JV9bgJDnHgK00a9YUoiDffuD9lHVAZOay yMlokROC2rBGBKe01GuCp/xs3rHuw56oJLT86eqopzvrCvLvEv708W9nRuo5j3ML JMFlGKzbef1NDmXanfM4yDYF7fZOK/qZlSbBihes0AHn47DgWqy5bDI22eTa2b4= =utS4 -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54DE993E.2050704>