Summary: | regcomp with REG_EXTENDED uses unbounded CPU or RAM | ||
---|---|---|---|
Product: | glibc | Reporter: | Kostya Serebryany <konstantin.s.serebryany> |
Component: | regex | Assignee: | Not yet assigned to anyone <unassigned> |
Status: | NEW --- | ||
Severity: | normal | CC: | bugdal, drepper.fsp, fweimer |
Priority: | P2 | Flags: | fweimer:
security-
|
Version: | 2.20 | ||
Target Milestone: | --- | ||
See Also: |
https://sourceware.org/bugzilla/show_bug.cgi?id=12896 https://sourceware.org/bugzilla/show_bug.cgi?id=18013 |
||
Host: | Target: | ||
Build: | Last reconfirmed: |
Description
Kostya Serebryany
2014-06-19 07:45:38 UTC
I'm guessing -9 got interpreted as (size_t)-9, in which case that many states are really needed in the compiled regex. This is why POSIX allows implementations to place a limit on the number of repetitions supported in {n,m} (IIRC only up to 256 need to be supported) and why glibc should make use of this allowance. Per our Security Exceptions, this is not a security bug: https://sourceware.org/glibc/wiki/Security%20Exceptions Also see the relatted bugs. |