Boost C++ Libraries: Ticket #11472: Regex posix api reads from uninitialized memory https://svn.boost.org/trac10/ticket/11472 <p> By running the boost test suite through our tool, Pareon Verify, I got the following report: </p> <pre class="wiki">===== PAREON VERIFY ===== [M0203] Read(s) from uninitialized stack object detected: the read in function regcompW at /data/lessandro/boost-libcxx/libs/regex/src/wide_posix_api.cpp:81 called from function main at /data/lessandro/boost-libcxx/libs/regex/test/c_compiler_checks/wide_posix_api_check.cpp:44 called from function main_thread performed 1 access(es) of size 4 at the start of the stack object of size 40 allocated as `re' in function main at /data/lessandro/boost-libcxx/libs/regex/test/c_compiler_checks/wide_posix_api_check.cpp:42 called from function main_thread and the resulting value is used in evaluating the condition in function regcompW at /data/lessandro/boost-libcxx/libs/regex/src/wide_posix_api.cpp:81 called from function main at /data/lessandro/boost-libcxx/libs/regex/test/c_compiler_checks/wide_posix_api_check.cpp:44 called from function main_thread </pre><p> While this bug is harmless in that specific file (wide_posix_api_check.cpp), it does reveal an important design problem in the regex library: the use of magic values to determine if a struct has been initialized or not. </p> <p> If an attacker is able to control the contents of the stack prior to the execution of regcomp, they could exploit this bug and cause a denial of service in the program. </p> <p> For example, consider the following snippet, which fills the stack with the magic value and causes a crash when the program is executed. </p> <pre class="wiki">#include &lt;boost/regex.h&gt; void f() { // user-modifiable data unsigned int s[64]; for (int i=0; i&lt;64; i++) s[i] = 25631; } void g() { regex_t re; regcomp(&amp;re, "test", 0); regfree(&amp;re); } int main() { f(); g(); return 0; } </pre><p> The safest thing to do is to assume that the struct is always uninitialized, and never read before writing in regcomp. </p> en-us Boost C++ Libraries /htdocs/site/boost.png https://svn.boost.org/trac10/ticket/11472 Trac 1.4.3 John Maddock Fri, 25 Sep 2015 16:09:04 GMT status changed; resolution set https://svn.boost.org/trac10/ticket/11472#comment:1 https://svn.boost.org/trac10/ticket/11472#comment:1 <ul> <li><strong>status</strong> <span class="trac-field-old">new</span> → <span class="trac-field-new">closed</span> </li> <li><strong>resolution</strong> → <span class="trac-field-new">fixed</span> </li> </ul> <p> Fixed in <a class="ext-link" href="https://github.com/boostorg/regex/commit/d8c95a995098358b72d09ca589f0b8df1a9bf628"><span class="icon">​</span>https://github.com/boostorg/regex/commit/d8c95a995098358b72d09ca589f0b8df1a9bf628</a> </p> <p> Thanks, John. </p> Ticket