Bug#757404: regexec: Please validate limits when using REG_STARTEND

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#757404: regexec: Please validate limits when using REG_STARTEND
From: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Date: Thu, 7 Aug 2014 22:17:44 +0200
Message-id: <[🔎] 1407442462@msgid.manchmal.in-ulm.de>
Reply-to: Christoph Biedl <debian.axhn@manchmal.in-ulm.de>, 757404@bugs.debian.org

Package: libc6
Version: 2.19-7
Severity: normal
Tags: patch

Dear Maintainer,

when the REG_STARTEND bit is set in eflags, regexec happily accepts
anything that is set as begin and end offset of the actual string in
rm_so and rm_eo. If undefined or set to inplausible values, regexec
might take long computation times or even segfault, reproducer below,
tested in the amd64 architecture.

This happened with a certain program provided by Debian where a 
programming error led to an rm_eo value of -1 und subsequently some
trouble. That application needs to be fixed of course, nevertheless
regexec should deal with such a situation in a sane way.

The fix might be as simple as (not tested)

--- a/posix/regexec.c
+++ b/posix/regexec.c
@@ -237,6 +237,8 @@ regexec (preg, string, nmatch, pmatch, eflags)
     {
       start = pmatch[0].rm_so;
       length = pmatch[0].rm_eo;
+      if (start < 0 || length < 0 || length < start)
+        return REG_BADPAT;
     }
   else
     {

Some remarks: 

* Unless NUL characters are allowed in the string, an additional check
  could validate both start and length against strlen (string).
* The "length" name is confusing, I guess that should be understood
  as "end_offset".
* There is no documentation of REG_STARTEND in regex(3), so some 
  details are unclear.
* The reproducer also works for wheezy and squeeze.  
  
Regards,

    Christoph

Reproducer:


#include <regex.h>

int main (int argc, char *argv[]) {
    regex_t rx;
    regmatch_t pmatch[1];

    regcomp(&rx, "a", REG_NEWLINE);
    pmatch[0].rm_so = -223112792;
    pmatch[0].rm_eo = 32749;
    regexec(&rx, "b", 1, pmatch, REG_STARTEND);
    regfree(&rx);
}


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.14.14 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash

Versions of packages libc6 depends on:
ii  libgcc1  1:4.9.1-1

libc6 recommends no packages.

Versions of packages libc6 suggests:
ii  debconf [debconf-2.0]  1.5.53
pn  glibc-doc              <none>
ii  locales                2.19-7

-- debconf information excluded

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: Processed: Change of e-mail address
Next by Date: Bug#602162: /usr/share/zoneinfo/Australia/Sydney: DST indistinguishable
Previous by thread: Processed: Change of e-mail address
Next by thread: Bug#602162: /usr/share/zoneinfo/Australia/Sydney: DST indistinguishable
Index(es):
- Date
- Thread