CVS commit: src/external/bsd/tre/dist/lib

[Rin Okuyama]

Module Name:    src
Committed By:   rin
Date:           Sun Nov 19 14:03:35 UTC 2017

Modified Files:
        src/external/bsd/tre/dist/lib: tre-match-approx.c tre-match-parallel.c

Log Message:
Add missing integer overflow checks to avoid out-of-bound write reported in
CVE-2016-8859, partially taken from musl libc:
https://git.musl-libc.org/cgit/musl/commit/src/regex/regexec.c?id=c3edc06d1e1360f3570db9155d6b318ae0d0f0f7
https://git.musl-libc.org/cgit/musl/commit/src/regex/regexec.c?id=6582baa752a8facb2c8a7b5b3dcf67331429cdc1


To generate a diff of this commit:
cvs rdiff -u -r1.4 -r1.5 src/external/bsd/tre/dist/lib/tre-match-approx.c \
    src/external/bsd/tre/dist/lib/tre-match-parallel.c

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/external/bsd/tre/dist/lib/tre-match-approx.c
diff -u src/external/bsd/tre/dist/lib/tre-match-approx.c:1.4 src/external/bsd/tre/dist/lib/tre-match-approx.c:1.5
--- src/external/bsd/tre/dist/lib/tre-match-approx.c:1.4	Sun Nov 19 13:22:58 2017
+++ src/external/bsd/tre/dist/lib/tre-match-approx.c	Sun Nov 19 14:03:35 2017
@@ -252,6 +252,16 @@ tre_tnfa_run_approx(const tre_tnfa_t *tn
      or with malloc() if alloca is unavailable. */
   {
     unsigned char *buf_cursor;
+
+    /* Ensure that tag_bytes*num_states cannot overflow, and that it don't
+     * contribute more than 1/8 of SIZE_MAX to total_bytes. */
+    if (num_tags > SIZE_MAX/(8 * sizeof(*tmp_tags) * tnfa->num_states))
+      return REG_ESPACE;
+
+    /* Likewise check reach_bytes. */
+    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_next)))
+      return REG_ESPACE;
+
     /* Space needed for one array of tags. */
     size_t tag_bytes = sizeof(*tmp_tags) * num_tags;
     /* Space needed for one reach table. */
Index: src/external/bsd/tre/dist/lib/tre-match-parallel.c
diff -u src/external/bsd/tre/dist/lib/tre-match-parallel.c:1.4 src/external/bsd/tre/dist/lib/tre-match-parallel.c:1.5
--- src/external/bsd/tre/dist/lib/tre-match-parallel.c:1.4	Sun Nov 19 13:22:58 2017
+++ src/external/bsd/tre/dist/lib/tre-match-parallel.c	Sun Nov 19 14:03:35 2017
@@ -141,6 +141,20 @@ tre_tnfa_run_parallel(const tre_tnfa_t *
   {
     size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
     char *tmp_buf;
+
+    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
+     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
+    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
+      return REG_ESPACE;
+
+    /* Likewise check rbytes. */
+    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
+      return REG_ESPACE;
+
+    /* Likewise check pbytes. */
+    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
+      return REG_ESPACE;
+
     /* Compute the length of the block we need. */
     tbytes = sizeof(*tmp_tags) * num_tags;
     rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);