Vigil@nce - glibc: denial of service via regex
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When an attacker can transmit Unicode data to an application using
a regular expression, he can stop the application.
Impacted products: Unix (platform)
Severity: 1/4
Creation date: 30/01/2013
DESCRIPTION OF THE VULNERABILITY
The glibc implements the re_compile_pattern() and re_search()
functions, which compile and compare a regular expression.
The "[^x]x" regular expression means to locate a character
different from ’x’, followed by the ’x’ character. The search for
the first character uses the get_subexp() function from the
posix/regexec.c file. This function calls the extend_buffers()
function, which doubles the buffer size when characters are
Unicode. However, when the search string is composed of long
characters (for example "character_on_3_bytesx"), the
reallocated buffer is too short. The memset() function then
initializes, with zeros, a memory area which is located after the
end of this buffer.
When an attacker can transmit Unicode data to an application using
a regular expression, he can therefore stop the application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/glibc-denial-of-service-via-regex-12358