Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/bsd/tre/dist/lib Add missing integer overflow check...

details:   https://anonhg.NetBSD.org/src/rev/39c36121799c
branches:  trunk
changeset: 357642:39c36121799c
user:      rin <rin%NetBSD.org@localhost>
date:      Sun Nov 19 14:03:35 2017 +0000

description:
Add missing integer overflow checks to avoid out-of-bound write reported in
CVE-2016-8859, partially taken from musl libc:
https://git.musl-libc.org/cgit/musl/commit/src/regex/regexec.c?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
https://git.musl-libc.org/cgit/musl/commit/src/regex/regexec.c?id=6582baa752a8facb2c8a7b5b3dcf67331429cdc1

diffstat:

 external/bsd/tre/dist/lib/tre-match-approx.c   |  10 ++++++++++
 external/bsd/tre/dist/lib/tre-match-parallel.c |  14 ++++++++++++++
 2 files changed, 24 insertions(+), 0 deletions(-)

diffs (44 lines):

diff -r 67ed00360b64 -r 39c36121799c external/bsd/tre/dist/lib/tre-match-approx.c
--- a/external/bsd/tre/dist/lib/tre-match-approx.c      Sun Nov 19 13:22:58 2017 +0000
+++ b/external/bsd/tre/dist/lib/tre-match-approx.c      Sun Nov 19 14:03:35 2017 +0000
@@ -252,6 +252,16 @@
      or with malloc() if alloca is unavailable. */
   {
     unsigned char *buf_cursor;
+
+    /* Ensure that tag_bytes*num_states cannot overflow, and that it don't
+     * contribute more than 1/8 of SIZE_MAX to total_bytes. */
+    if (num_tags > SIZE_MAX/(8 * sizeof(*tmp_tags) * tnfa->num_states))
+      return REG_ESPACE;
+
+    /* Likewise check reach_bytes. */
+    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_next)))
+      return REG_ESPACE;
+
     /* Space needed for one array of tags. */
     size_t tag_bytes = sizeof(*tmp_tags) * num_tags;
     /* Space needed for one reach table. */
diff -r 67ed00360b64 -r 39c36121799c external/bsd/tre/dist/lib/tre-match-parallel.c
--- a/external/bsd/tre/dist/lib/tre-match-parallel.c    Sun Nov 19 13:22:58 2017 +0000
+++ b/external/bsd/tre/dist/lib/tre-match-parallel.c    Sun Nov 19 14:03:35 2017 +0000
@@ -141,6 +141,20 @@
   {
     size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
     char *tmp_buf;
+
+    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
+     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
+    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
+      return REG_ESPACE;
+
+    /* Likewise check rbytes. */
+    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
+      return REG_ESPACE;
+
+    /* Likewise check pbytes. */
+    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
+      return REG_ESPACE;
+
     /* Compute the length of the block we need. */
     tbytes = sizeof(*tmp_tags) * num_tags;
     rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
Home | Main Index | Thread Index | Old Index