main/musl: fix missing int overflow checks in regex

Conflicts: main/musl/APKBUILD
author: Natanael Copa <ncopa@alpinelinux.org> 2016-10-19 09:49:32 +0200
committer: Natanael Copa <ncopa@alpinelinux.org> 2016-10-19 11:25:57 +0000
commit: 0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a (patch)
tree: 3ac3c9d8b22182154d9e3216a4fd9029874ba6fe
parent: 27d1714445344187452f08bceb087569e9f43c2b (diff)
download: aports-0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a.tar.bz2
aports-0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a.tar.xz
2 files changed, 78 insertions, 1 deletions
diff --git a/main/musl/0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch b/main/musl/0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
new file mode 100644
index 0000000000..2b8316c389
--- /dev/null
+++ b/main/musl/0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
@@ -0,0 +1,73 @@
+From c3edc06d1e1360f3570db9155d6b318ae0d0f0f7 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Thu, 6 Oct 2016 18:34:58 -0400
+Subject: [PATCH] fix missing integer overflow checks in regexec buffer size
+ computations
+
+most of the possible overflows were already ruled out in practice by
+regcomp having already succeeded performing larger allocations.
+however at least the num_states*num_tags multiplication can clearly
+overflow in practice. for safety, check them all, and use the proper
+type, size_t, rather than int.
+
+also improve comments, use calloc in place of malloc+memset, and
+remove bogus casts.
+---
+ src/regex/regexec.c | 23 ++++++++++++++++++-----
+ 1 file changed, 18 insertions(+), 5 deletions(-)
+
+diff --git a/src/regex/regexec.c b/src/regex/regexec.c
+index 16c5d0a..dd52319 100644
+--- a/src/regex/regexec.c
++++ b/src/regex/regexec.c
+@@ -34,6 +34,7 @@
+ #include <wchar.h>
+ #include <wctype.h>
+ #include <limits.h>
++#include <stdint.h>
+ 
+ #include <regex.h>
+ 
+@@ -206,11 +207,24 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+ 
+   /* Allocate memory for temporary data required for matching.	This needs to
+      be done for every matching operation to be thread safe.  This allocates
+-     everything in a single large block from the stack frame using alloca()
+-     or with malloc() if alloca is unavailable. */
++     everything in a single large block with calloc(). */
+   {
+-    int tbytes, rbytes, pbytes, xbytes, total_bytes;
++    size_t tbytes, rbytes, pbytes, xbytes, total_bytes;
+     char *tmp_buf;
++
++    /* Ensure that tbytes and xbytes*num_states cannot overflow, and that
++     * they don't contribute more than 1/8 of SIZE_MAX to total_bytes. */
++    if (num_tags > SIZE_MAX/(8 * sizeof(int) * tnfa->num_states))
++      goto error_exit;
++
++    /* Likewise check rbytes. */
++    if (tnfa->num_states+1 > SIZE_MAX/(8 * sizeof(*reach_next)))
++      goto error_exit;
++
++    /* Likewise check pbytes. */
++    if (tnfa->num_states > SIZE_MAX/(8 * sizeof(*reach_pos)))
++      goto error_exit;
++
+     /* Compute the length of the block we need. */
+     tbytes = sizeof(*tmp_tags) * num_tags;
+     rbytes = sizeof(*reach_next) * (tnfa->num_states + 1);
+@@ -221,10 +235,9 @@ tre_tnfa_run_parallel(const tre_tnfa_t *tnfa, const void *string,
+       + (rbytes + xbytes * tnfa->num_states) * 2 + tbytes + pbytes;
+ 
+     /* Allocate the memory. */
+-    buf = xmalloc((unsigned)total_bytes);
++    buf = calloc(total_bytes, 1);
+     if (buf == NULL)
+       return REG_ESPACE;
+-    memset(buf, 0, (size_t)total_bytes);
+ 
+     /* Get the various pointers within tmp_buf (properly aligned). */
+     tmp_tags = (void *)buf;
+-- 
+2.10.0
+
diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index d50f884415..4c64976b48 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=musl
 pkgver=1.1.5
-pkgrel=4
+pkgrel=5
 pkgdesc="the musl c library (libc) implementation"
 url="http://www.musl-libc.org/"
 arch="all"
@@ -44,6 +44,7 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
 	0030-fix-memory-corruption-in-regcomp-with-backslash-foll.patch
 	0031-suppress-backref-processing-in-ERE-regcomp.patch
 	0032-fix-internal-buffer-overrun-in-inet_pton.patch
+	0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
 
 	ldconfig
 	getopt_long.c
@@ -179,6 +180,7 @@ c65cd4b058ea1a2c6dbaaff5c29fd0ba  0027-fix-fd-leak-race-missing-O_CLOEXEC-in-fch
 ca2d1b1283b15df595950d0ba63b9e90  0030-fix-memory-corruption-in-regcomp-with-backslash-foll.patch
 d2c8268e812b8c40860eecfaca077959  0031-suppress-backref-processing-in-ERE-regcomp.patch
 f99a4519a796a56360a203723c1dff0e  0032-fix-internal-buffer-overrun-in-inet_pton.patch
+fe6de41e930775994f64b772f1fdc45c  0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
 830d01f7821b978df770b06db3790921  ldconfig
 61c6c1e84ed1df82abbe6d75e90cf21c  getopt_long.c
 0df687757221bbb0fc1aa67f1bd646f9  __stack_chk_fail_local.c
@@ -218,6 +220,7 @@ a251a236d4e1d63048b75a5b152ad90dac6e8366e53319edd14a8b641e893175  0027-fix-fd-le
 618af64186986b8fe2e1f8c31745da9d2a3f5fc213cfe23efcc2c7e5f4572129  0030-fix-memory-corruption-in-regcomp-with-backslash-foll.patch
 4a733c74d3b7b1986e3770fbbd2d0d5d5f1144b3104fe9aaab4580b8ab67fe67  0031-suppress-backref-processing-in-ERE-regcomp.patch
 2362acd6c14977072d25a205190277c25edc0d32396a5bca5eab8d88894ac654  0032-fix-internal-buffer-overrun-in-inet_pton.patch
+cec3fdd3a90f153a2c5a5d22ffd7429c14ecb105259a9c2540e46db6cfe71b55  0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
 b4a2c06db38742e8c42c3c9838b285a7d8cdac6c091ff3df5ff9a15f1e41b9c7  ldconfig
 d9b644ec20bc33e81a7c52b9fcf7973d835923a69faf50f03db45534b811bd96  getopt_long.c
 299a7d75a09de3e2e11e7fb4acc3182e4a14e868093d2f30938fce9bfcff13da  __stack_chk_fail_local.c
@@ -257,6 +260,7 @@ d64cb02502263f62b496be906824e6090296c53002a6195f1f364e951807a63132ac6926d2a3bf36
 0a9ae94be997ef5218e2759ead181733270a415822c64a7b539a571fe4c8e3b148e527ec3ef3dfea8937df741a6685b38d3dd0a8eb9a14a9f904e19a79735965  0030-fix-memory-corruption-in-regcomp-with-backslash-foll.patch
 7f13fcfb7e0a834fb7499805ace8a95ab7e930cd947d2b6749107d0cf80b207dfb0ab52210f0850f15c794cb011e3477b647a9a8e6cba96a2c4b13f0890d00c4  0031-suppress-backref-processing-in-ERE-regcomp.patch
 0e978f001e8339f22c3fe09bd4f40227978db922b353559e2f052f81641b289510b9f344dd71f7205e8463ce0a1da01ebb8445089cf822c6d6996eb3e37e0eac  0032-fix-internal-buffer-overrun-in-inet_pton.patch
+6376167c67fdd22c0c4476fc38ff89ae3ce46435f72d7c506460944dd8f7d9153eed9696738dff5b320f09b474964f2a57394530eb40197ad58a6956e87e68ff  0001-fix-missing-integer-overflow-checks-in-regexec-buffe.patch
 8d3a2d5315fc56fee7da9abb8b89bb38c6046c33d154c10d168fb35bfde6b0cf9f13042a3bceee34daf091bc409d699223735dcf19f382eeee1f6be34154f26f  ldconfig
 140f3f20d30bd95ebce8c41b8cc7f616c6cbedf4ea06c729c21014e74f6043796825cc40ebc5180620ea38173afdba23f09ebf6d8b11fa05440b14d23764fca9  getopt_long.c
 062bb49fa54839010acd4af113e20f7263dde1c8a2ca359b5fb2661ef9ed9d84a0f7c3bc10c25dcfa10bb3c5a4874588dff636ac43d5dbb3d748d75400756d0b  __stack_chk_fail_local.c
author	Natanael Copa <ncopa@alpinelinux.org>	2016-10-19 09:49:32 +0200
committer	Natanael Copa <ncopa@alpinelinux.org>	2016-10-19 11:25:57 +0000
commit	0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a (patch)
tree	3ac3c9d8b22182154d9e3216a4fd9029874ba6fe
parent	27d1714445344187452f08bceb087569e9f43c2b (diff)
download	aports-0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a.tar.bz2 aports-0edbd3bb4c1e62998cd1a1f1ef66984d95ba6e9a.tar.xz