Check for integer overflow when computing lookbehind lengths. Fixes Clusterfuzz

issue 13656.
This commit is contained in:
Philip.Hazel 2019-07-04 17:01:53 +00:00
parent a5c601091e
commit 2e06fdcdc1
4 changed files with 36 additions and 10 deletions

View File

@ -85,6 +85,9 @@ otherwise), an atomic group, or a recursion.
16. Give error if pcre2test -t, -T, -tm or -TM is given an argument of zero. 16. Give error if pcre2test -t, -T, -tm or -TM is given an argument of zero.
17. Check for integer overflow when computing lookbehind lengths. Fixes
Clusterfuzz issue 15636.
Version 10.33 16-April-2019 Version 10.33 16-April-2019
--------------------------- ---------------------------

View File

@ -9269,8 +9269,26 @@ for (;; pptr++)
case META_MINMAX_QUERY: case META_MINMAX_QUERY:
if (pptr[1] == pptr[2]) if (pptr[1] == pptr[2])
{ {
if (pptr[1] == 0) branchlength -= lastitemlength; switch(pptr[1])
else itemlength = (pptr[1] - 1) * lastitemlength; {
case 0:
branchlength -= lastitemlength;
break;
case 1:
itemlength = 0;
break;
default: /* Check for integer overflow */
if (lastitemlength != 0 && /* Should not occur, but just in case */
INT_MAX/lastitemlength < pptr[1] - 1)
{
*errcodeptr = ERR87; /* Integer overflow; lookbehind too big */
return -1;
}
itemlength = (pptr[1] - 1) * lastitemlength;
break;
}
pptr += 2; pptr += 2;
break; break;
} }
@ -9284,19 +9302,19 @@ for (;; pptr++)
return -1; return -1;
} }
/* Add the item length to the branchlength, and save it for use if the next /* Add the item length to the branchlength, checking for integer overflow and
thing is a quantifier. */ for the branch length exceeding the limit. */
branchlength += itemlength; if (INT_MAX - branchlength < (int)itemlength ||
lastitemlength = itemlength; (branchlength += itemlength) > LOOKBEHIND_MAX)
/* Ensure that the length does not overflow the limit. */
if (branchlength > LOOKBEHIND_MAX)
{ {
*errcodeptr = ERR87; *errcodeptr = ERR87;
return -1; return -1;
} }
/* Save this item length for use if the next item is a quantifier. */
lastitemlength = itemlength;
} }
EXIT: EXIT:

2
testdata/testinput2 vendored
View File

@ -5647,4 +5647,6 @@ a)"xI
/(?<=(?<=a)b)(?<!abcd)(?<=(?<=a)bcde)/I /(?<=(?<=a)b)(?<!abcd)(?<=(?<=a)bcde)/I
/( {32742} {42})(?<!\1{65481})/
# End of testinput2 # End of testinput2

View File

@ -17078,6 +17078,9 @@ Max lookbehind = 5
May match empty string May match empty string
Subject length lower bound = 0 Subject length lower bound = 0
/( {32742} {42})(?<!\1{65481})/
Failed: error 187 at offset 15: lookbehind assertion is too long
# End of testinput2 # End of testinput2
Error -70: PCRE2_ERROR_BADDATA (unknown error number) Error -70: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data Error -62: bad serialized data