Check for integer overflow when computing lookbehind lengths. Fixes Clusterfuzz
issue 13656.
This commit is contained in:
Philip.Hazel
parent
a5c601091e
commit
2e06fdcdc1
|
|
@ -85,6 +85,9 @@ otherwise), an atomic group, or a recursion.
|
|||
|
||||
16. Give error if pcre2test -t, -T, -tm or -TM is given an argument of zero.
|
||||
|
||||
17. Check for integer overflow when computing lookbehind lengths. Fixes
|
||||
Clusterfuzz issue 15636.
|
||||
|
||||
|
||||
Version 10.33 16-April-2019
|
||||
---------------------------
|
||||
|
|
|
|||
|
|
@ -9269,8 +9269,26 @@ for (;; pptr++)
|
|||
case META_MINMAX_QUERY:
|
||||
if (pptr[1] == pptr[2])
|
||||
{
|
||||
if (pptr[1] == 0) branchlength -= lastitemlength;
|
||||
else itemlength = (pptr[1] - 1) * lastitemlength;
|
||||
switch(pptr[1])
|
||||
{
|
||||
case 0:
|
||||
branchlength -= lastitemlength;
|
||||
break;
|
||||
|
||||
case 1:
|
||||
itemlength = 0;
|
||||
break;
|
||||
|
||||
default: /* Check for integer overflow */
|
||||
if (lastitemlength != 0 && /* Should not occur, but just in case */
|
||||
INT_MAX/lastitemlength < pptr[1] - 1)
|
||||
{
|
||||
*errcodeptr = ERR87; /* Integer overflow; lookbehind too big */
|
||||
return -1;
|
||||
}
|
||||
itemlength = (pptr[1] - 1) * lastitemlength;
|
||||
break;
|
||||
}
|
||||
pptr += 2;
|
||||
break;
|
||||
}
|
||||
|
|
@ -9284,19 +9302,19 @@ for (;; pptr++)
|
|||
return -1;
|
||||
}
|
||||
|
||||
/* Add the item length to the branchlength, and save it for use if the next
|
||||
thing is a quantifier. */
|
||||
/* Add the item length to the branchlength, checking for integer overflow and
|
||||
for the branch length exceeding the limit. */
|
||||
|
||||
branchlength += itemlength;
|
||||
lastitemlength = itemlength;
|
||||
|
||||
/* Ensure that the length does not overflow the limit. */
|
||||
|
||||
if (branchlength > LOOKBEHIND_MAX)
|
||||
if (INT_MAX - branchlength < (int)itemlength ||
|
||||
(branchlength += itemlength) > LOOKBEHIND_MAX)
|
||||
{
|
||||
*errcodeptr = ERR87;
|
||||
return -1;
|
||||
}
|
||||
|
||||
/* Save this item length for use if the next item is a quantifier. */
|
||||
|
||||
lastitemlength = itemlength;
|
||||
}
|
||||
|
||||
EXIT:
|
||||
|
|
|
|||
|
|
@ -5647,4 +5647,6 @@ a)"xI
|
|||
|
||||
/(?<=(?<=a)b)(?<!abcd)(?<=(?<=a)bcde)/I
|
||||
|
||||
/( {32742} {42})(?<!\1{65481})/
|
||||
|
||||
# End of testinput2
|
||||
|
|
|
|||
|
|
@ -17078,6 +17078,9 @@ Max lookbehind = 5
|
|||
May match empty string
|
||||
Subject length lower bound = 0
|
||||
|
||||
/( {32742} {42})(?<!\1{65481})/
|
||||
Failed: error 187 at offset 15: lookbehind assertion is too long
|
||||
|
||||
# End of testinput2
|
||||
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
|
||||
Error -62: bad serialized data
|
||||
|
|
|
|||
Loading…
Reference in New Issue