Re: CVE Request - TRE & musl libc regex integer overflows in buffer size computations

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Due to incorrect use of integer types and missing overflow checks in
> the tre_tnfa_run_parallel function's buffer overflow logic, the TRE
> regex implementation (both original version and the one used in musl
> libc) are subject to integer overflows in buffer size computation.

> at least the num_states*num_tags multiplication can clearly
> overflow in practice. for safety, check them all, and use the proper
> type, size_t, rather than int.

Use CVE-2016-8859 for this entire report. We do not see a sensible way
in which the issue of an incorrect data type could be separated from
the issue of unchecked multiplication.


> -    buf = xmalloc((unsigned)total_bytes);
> +    buf = calloc(total_bytes, 1);

If this is a security fix, it would need a separate CVE ID.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJYB+XPAAoJEHb/MwWLVhi2xZoP/RjFX9HfV8rmj6XtIvK/V8eX
Nr7peF92wDUfQTnwHGbB4vpPLAeBJpR9O/T9+mxmp5hbl6EhetgugUkkcr9mn8/M
7yySbr7wCegpAzWHMm51hecozMunOB8Di0dpI/jhdMNra2N4rAFhZ+orAancZSCq
IhMIHsj9uuxR7segrNyMlZRCGjLFHtro4TeaO7g84ITVQoswFfbP9yuIL1Ddhn+h
s/AYfV3jqCXBOP6zWxRyZSAXT37HE/ZYVx0T/6wqrzQhX259i8dYnpRTsIvwZEJt
dbuB7fAvE6CAhGJ/zOGjBF2U2oXnNmOEdyhWjOdB2TlmfpfS8IyO5tN/ki2Qn8Kt
g4Lkk3+DKquMh+gcSxF8J/Xc7eKS4FOygdCSM+d5wAWr4iMDyTN0hI+zb9ypIkte
CTO66jlPgFJy6QBFQSTrv2wqftOdkQhuJ2U6u/ZHI+57Xj/S2AZM8FbWU0dgAkEN
xgtmF1go9v4hiK2Dln5DAyauOCq5LG1KYuddHmT/nDRxa4dMKG7nWPYH8TP+DMJM
hnFo8BBSicRFBTBkBE57BwRPps31O3HQ2xD9UusXwy1/5Fa5kpFw0V8bHoUeIpDV
0Uo212/UWa449y5S/QsmoKaLG/pXQn1YEnYmNZ1ASLCUhD9eiyUMFJI1au7d25PC
15KiklfB4i7WNGH8t79S
=M+Ab
-----END PGP SIGNATURE-----