Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) by bugs.isc.org (Postfix) with ESMTP id DA7F42D20571 for <bind9-bugs@bugs.isc.org>; Mon, 14 Apr 2014 00:40:04 +0000 (UTC)
Received: from smtp.stanford.edu (smtp2.Stanford.EDU [171.67.219.82]) by mx.pao1.isc.org (Postfix) with ESMTP id 775C0349431 for <bind9-bugs@isc.org>; Mon, 14 Apr 2014 00:40:04 +0000 (UTC) (envelope-from daramos@stanford.edu)
Received: from smtp.stanford.edu (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id ED1763418AD for <bind9-bugs@isc.org>; Sun, 13 Apr 2014 17:40:03 -0700 (PDT)
Received: from dnab42128a.stanford.edu (DNab42128a.Stanford.EDU [171.66.18.138]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: daramos) by smtp.stanford.edu (Postfix) with ESMTPSA id 8FAC134188E for <bind9-bugs@isc.org>; Sun, 13 Apr 2014 17:40:03 -0700 (PDT)
Delivered-To: bind9-bugs@bugs.isc.org
MIME-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
Subject: sign extension bug in isc_regex_validate
X-Spam-Status: No, score=-4.8 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
Return-Path: <daramos@stanford.edu>
X-Mailer: Apple Mail (2.1874)
X-Original-To: bind9-bugs@bugs.isc.org
Date: Sun, 13 Apr 2014 17:39:46 -0700
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on mx.pao1.isc.org
content-type: text/plain; charset="utf-8"
Message-ID: <3B0D8510-F414-4606-BDFB-E5B0F54F08C9@stanford.edu>
To: bind9-bugs@isc.org
Content-Transfer-Encoding: quoted-printable
From: David Ramos <daramos@stanford.edu>
X-RT-Original-Encoding: us-ascii
Content-Length: 673

Hello,

Our UC-KLEE tool found a char-sign-extension bug in isc_regex_validate(), which may cause it to improperly accept or reject a regular expression depending on whether the compiler treated chars as signed or unsigned (either is allowed under the C specification). 

The offending code is in isc_regex_validate (lib/isc/regex.c) on line 258 in the latest git v9_9 HEAD:
  if (range == 2 && *c < range_start)

Some example inputs where the above condition may evaluate to true or false depending on the compiler are:
  \x5c-\x80
  \x83-\x02

The simplest fix is probably to change 'c' to an unsigned char, and possibly range_start to an unsigned int.

Thanks,
-David