109 lines
3.2 KiB
Diff
109 lines
3.2 KiB
Diff
From cdefe642dc2e6b5b8e6703773934813f317bc488 Mon Sep 17 00:00:00 2001
|
|
From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
|
|
Date: Thu, 4 Jul 2019 17:01:53 +0000
|
|
Subject: [PATCH] Check for integer overflow when computing lookbehind lengths.
|
|
Fixes Clusterfuzz issue 13656.
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1126 6239d852-aaf2-0410-a92c-79f79f948069
|
|
Petr Písař: Ported to 10.33.
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
src/pcre2_compile.c | 38 ++++++++++++++++++++++++++++----------
|
|
testdata/testinput2 | 2 ++
|
|
testdata/testoutput2 | 3 +++
|
|
3 files changed, 33 insertions(+), 10 deletions(-)
|
|
|
|
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
|
|
index c82c6ca..f6e0a0b 100644
|
|
--- a/src/pcre2_compile.c
|
|
+++ b/src/pcre2_compile.c
|
|
@@ -9197,8 +9197,26 @@ for (;; pptr++)
|
|
case META_MINMAX_QUERY:
|
|
if (pptr[1] == pptr[2])
|
|
{
|
|
- if (pptr[1] == 0) branchlength -= lastitemlength;
|
|
- else itemlength = (pptr[1] - 1) * lastitemlength;
|
|
+ switch(pptr[1])
|
|
+ {
|
|
+ case 0:
|
|
+ branchlength -= lastitemlength;
|
|
+ break;
|
|
+
|
|
+ case 1:
|
|
+ itemlength = 0;
|
|
+ break;
|
|
+
|
|
+ default: /* Check for integer overflow */
|
|
+ if (lastitemlength != 0 && /* Should not occur, but just in case */
|
|
+ INT_MAX/lastitemlength < pptr[1] - 1)
|
|
+ {
|
|
+ *errcodeptr = ERR87; /* Integer overflow; lookbehind too big */
|
|
+ return -1;
|
|
+ }
|
|
+ itemlength = (pptr[1] - 1) * lastitemlength;
|
|
+ break;
|
|
+ }
|
|
pptr += 2;
|
|
break;
|
|
}
|
|
@@ -9212,19 +9230,19 @@ for (;; pptr++)
|
|
return -1;
|
|
}
|
|
|
|
- /* Add the item length to the branchlength, and save it for use if the next
|
|
- thing is a quantifier. */
|
|
-
|
|
- branchlength += itemlength;
|
|
- lastitemlength = itemlength;
|
|
-
|
|
- /* Ensure that the length does not overflow the limit. */
|
|
+ /* Add the item length to the branchlength, checking for integer overflow and
|
|
+ for the branch length exceeding the limit. */
|
|
|
|
- if (branchlength > LOOKBEHIND_MAX)
|
|
+ if (INT_MAX - branchlength < (int)itemlength ||
|
|
+ (branchlength += itemlength) > LOOKBEHIND_MAX)
|
|
{
|
|
*errcodeptr = ERR87;
|
|
return -1;
|
|
}
|
|
+
|
|
+ /* Save this item length for use if the next item is a quantifier. */
|
|
+
|
|
+ lastitemlength = itemlength;
|
|
}
|
|
|
|
EXIT:
|
|
diff --git a/testdata/testinput2 b/testdata/testinput2
|
|
index 8a98f94..079d6d8 100644
|
|
--- a/testdata/testinput2
|
|
+++ b/testdata/testinput2
|
|
@@ -5591,4 +5591,6 @@ a)"xI
|
|
|
|
/\[()]{65535}(?<A>)/expand
|
|
|
|
+/( {32742} {42})(?<!\1{65481})/
|
|
+
|
|
# End of testinput2
|
|
diff --git a/testdata/testoutput2 b/testdata/testoutput2
|
|
index 158fbad..bfe61a3 100644
|
|
--- a/testdata/testoutput2
|
|
+++ b/testdata/testoutput2
|
|
@@ -16940,6 +16940,9 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
|
|
/\[()]{65535}(?<A>)/expand
|
|
Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
|
|
|
|
+/( {32742} {42})(?<!\1{65481})/
|
|
+Failed: error 187 at offset 15: lookbehind assertion is too long
|
|
+
|
|
# End of testinput2
|
|
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
|
|
Error -62: bad serialized data
|
|
--
|
|
2.20.1
|
|
|