Skip to content

Commit

Permalink
[CVE-2017-11912] Regex construction can depend on unintialized memory…
Browse files Browse the repository at this point in the history
… and leak stack contents
  • Loading branch information
Penguinwizzard authored and MikeHolman committed Dec 7, 2017
1 parent 40232a4 commit 1e7fa7b
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 5 deletions.
27 changes: 25 additions & 2 deletions lib/Parser/RegexCompileTime.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -1173,7 +1173,17 @@ namespace UnifiedRegex
{
if ((compiler.program->flags & IgnoreCaseRegexFlag) != 0)
{
Char equivs[CaseInsensitive::EquivClassSize];
// To ensure initialization, we first default-initialize the
// whole array with a constant, and then individually set it
// to be just the first character (known to exist). This can
// hopefully be optimized to just initialize to cs[0] by the
// compiler.
Char equivs[CaseInsensitive::EquivClassSize] = { (Char)-1 };
for (int i = 0; i < CaseInsensitive::EquivClassSize; i++)
{
equivs[i] = cs[0];

}
bool isNonTrivial = compiler.standardChars->ToEquivs(compiler.program->GetCaseMappingSource(), cs[0], equivs);
if (isNonTrivial)
{
Expand Down Expand Up @@ -1279,10 +1289,23 @@ namespace UnifiedRegex
{
if (isEquivClass)
{
Char uniqueEquivs[CaseInsensitive::EquivClassSize];
// To ensure initialization, we first default-initialize the
// whole array with a constant, and then individually set it
// to be just the first character (known to exist). This can
// hopefully be optimized to just initialize to cs[0] by the
// compiler.
Char uniqueEquivs[CaseInsensitive::EquivClassSize] = { (Char)-1 };
for (int i = 0; i < CaseInsensitive::EquivClassSize; i++)
{
uniqueEquivs[i] = cs[0];
}
CharCount uniqueEquivCount = FindUniqueEquivs(cs, uniqueEquivs);
switch (uniqueEquivCount)
{
case 1:
EMIT(compiler, MatchCharInst, uniqueEquivs[0]);
break;

case 2:
EMIT(compiler, MatchChar2Inst, uniqueEquivs[0], uniqueEquivs[1]);
break;
Expand Down
4 changes: 1 addition & 3 deletions lib/Parser/RegexCompileTime.h
Original file line number Diff line number Diff line change
Expand Up @@ -374,10 +374,8 @@ namespace UnifiedRegex
, isEquivClass(false)
{
cs[0] = c;
#if DBG
for (int i = 1; i < CaseInsensitive::EquivClassSize; i++)
cs[i] = (Char)-1;
#endif
cs[i] = c;
}

NODE_DECL
Expand Down

0 comments on commit 1e7fa7b

Please # to comment.