Home Explore contacts
Sign In
LDA010
/
bug_ebuild
Watch 0
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
bug_ebuild
/
gentoo
/
sys-libs
/
musl
/
files
/
musl-1.1.15-CVE.patch

musl-1.1.15-CVE.patch 2.5 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Rich Felker <dalias@aerifal.cx>
    3. 

  3. Date: Thu, 06 Oct 2016 22:34:58 +0000
    4. 

  4. Subject: fix missing integer overflow checks in regexec buffer size computations
    5. 

  5. 

  6. most of the possible overflows were already ruled out in practice by
    7. 

  7. regcomp having already succeeded performing larger allocations.
    8. 

  8. however at least the num_states*num_tags multiplication can clearly
    9. 

  9. overflow in practice. for safety, check them all, and use the proper
    10. 

  10. type, size_t, rather than int.
    11. 

  11. 

  12. also improve comments, use calloc in place of malloc+memset, and
    13. 

  13. remove bogus casts.
    14. 

  14. ---
    15. 

  15. diff --git a/src/regex/regexec.c b/src/regex/regexec.c
    16. 

  16. index 16c5d0a..dd52319 100644
    17. 

  17. --- a/src/regex/regexec.c
    18. 

  18. +++ b/src/regex/regexec.c
    19. 

  19. @@ -34,6 +34,7 @@
    20. 

  20.  #include <wchar.h>
    21. 

  21.  #include <wctype.h>
    22. 

  22.  #include <limits.h>
    23. 

  23. +#include <stdint.h>
    24. 

  24.  
    25. 

  25.  #include <regex.h>
    26. 

  26.  
    27. 

  27. @@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
    28. 

  28.  
    29. 

  29.    /* Allocate memory for temporary data required for matching.	This needs to
    30. 

  30.       be done for every matching operation to be thread safe.  This allocates
    31. 

  31. -     everything in a single large block from the stack frame using alloca()
    32. 

  32. -     or with malloc() if alloca is unavailable. */
    33. 

  33. +     everything in a single large block with calloc(). */
    34. 

  34.    {
    35. 

  35. -    int tbytes, rbytes, pbytes, xbytes, total_bytes;
    36. 

  36. +    size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
    37. 

  37.      char *tmp_buf;
    38. 

  38. +
    39. 

  39. +    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
    40. 

  40. +     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
    41. 

  41. +    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
    42. 

  42. +      goto error_exit;
    43. 

  43. +
    44. 

  44. +    /* Likewise check rbytes. */
    45. 

  45. +    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
    46. 

  46. +      goto error_exit;
    47. 

  47. +
    48. 

  48. +    /* Likewise check pbytes. */
    49. 

  49. +    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
    50. 

  50. +      goto error_exit;
    51. 

  51. +
    52. 

  52.      /* Compute the length of the block we need. */
    53. 

  53.      tbytes = sizeof(*tmp_tags) * num_tags;
    54. 

  54.      rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
    55. 

  55. @@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
    56. 

  56.        + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
    57. 

  57.  
    58. 

  58.      /* Allocate the memory. */
    59. 

  59. -    buf = xmalloc((unsigned)total_bytes);
    60. 

  60. +    buf = calloc(total_bytes, 1);
    61. 

  61.      if (buf == NULL)
    62. 

  62.        return REG_ESPACE;
    63. 

  63. -    memset(buf, 0, (size_t)total_bytes);
    64. 

  64.  
    65. 

  65.      /* Get the various pointers within tmp_buf (properly aligned). */
    66. 

  66.      tmp_tags = (void *)buf;
    67. 

  67. --
    68. 

  68. cgit v0.9.0.3-65-g4555
    69. 

  69.