On 2/13/2015 6:37 PM, Bryan Drewery wrote: > On 2/13/2015 6:23 PM, Xin LI wrote: >> Author: delphij >> Date: Sat Feb 14 00:23:53 2015 >> New Revision: 278739 >> URL: https://svnweb.freebsd.org/changeset/base/278739 >> >> Log: >> Disallow pattern spaces which would cause intermediate calculations to >> overflow size_t. >> >> Obtained from: DragonFly (2841837793bd095a82f477e9c370cfe6cfb3862c >> dillon) >> Security: CERT VU#695940 >> MFC after: 3 days >> >> Modified: >> head/lib/libc/regex/regcomp.c >> >> Modified: head/lib/libc/regex/regcomp.c >> ============================================================================== >> --- head/lib/libc/regex/regcomp.c Sat Feb 14 00:03:43 2015 >> (r278738) >> +++ head/lib/libc/regex/regcomp.c Sat Feb 14 00:23:53 2015 >> (r278739) >> @@ -192,6 +192,7 @@ regcomp(regex_t * __restrict preg, >> struct parse *p = &pa; >> int i; >> size_t len; >> + size_t maxlen; >> #ifdef REDEBUG >> # define GOODFLAGS(f) (f) >> #else >> @@ -213,7 +214,23 @@ regcomp(regex_t * __restrict preg, >> g = (struct re_guts *)malloc(sizeof(struct re_guts)); >> if (g == NULL) >> return(REG_ESPACE); >> + /* >> + * Limit the pattern space to avoid a 32-bit overflow on buffer >> + * extension. Also avoid any signed overflow in case of conversion >> + * so make the real limit based on a 31-bit overflow. >> + * >> + * Likely not applicable on 64-bit systems but handle the case >> + * generically (who are we to stop people from using ~715MB+ >> + * patterns?). >> + */ >> + maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3; >> + if (len >= maxlen) { >> + free((char *)g); > > I was planning to submit a patch for review to remove all of this > casting / and discuss.
To be clear, I only mean in free(3) calls. > > In this example the malloc is casted to struct re_gets* but the free is > casted to char *. Why different and why cast in free at all? > > > -- Regards, Bryan Drewery
signature.asc
Description: OpenPGP digital signature
