Detect overflow in pcre2test pattern and subject repetition counts.

This commit is contained in:
Philip.Hazel 2016-07-06 08:42:50 +00:00
parent 7aedda0fff
commit 9b741ad59d
4 changed files with 43 additions and 3 deletions

View File

@ -168,6 +168,8 @@ large stack size when testing with clang.
42. Fix register overwite in JIT when SSE2 acceleration is enabled. 42. Fix register overwite in JIT when SSE2 acceleration is enabled.
43. Detect integer overflow in pcre2test pattern and data repetition counts.
Version 10.21 12-January-2016 Version 10.21 12-January-2016
----------------------------- -----------------------------

View File

@ -4618,8 +4618,19 @@ else if ((pat_patctl.control & CTL_EXPAND) != 0)
{ {
uint32_t clen = pe - pc - 2; uint32_t clen = pe - pc - 2;
uint32_t i = 0; uint32_t i = 0;
unsigned long uli;
char *endptr;
pe += 2; pe += 2;
while (isdigit(*pe)) i = i * 10 + *pe++ - '0'; uli = strtoul((const char *)pe, &endptr, 10);
if (U32OVERFLOW(uli))
{
fprintf(outfile, "** Pattern repeat count too large\n");
return PR_SKIP;
}
i = (uint32_t)uli;
pe = (uint8_t *)endptr;
if (*pe == '}') if (*pe == '}')
{ {
if (i == 0) if (i == 0)
@ -5615,13 +5626,15 @@ buffer of the appropriate width. In UTF mode, input can be UTF-8. */
while ((c = *p++) != 0) while ((c = *p++) != 0)
{ {
int i = 0; int32_t i = 0;
size_t replen; size_t replen;
/* ] may mark the end of a replicated sequence */ /* ] may mark the end of a replicated sequence */
if (c == ']' && start_rep != NULL) if (c == ']' && start_rep != NULL)
{ {
long li;
char *endptr;
size_t qoffset = CAST8VAR(q) - dbuffer; size_t qoffset = CAST8VAR(q) - dbuffer;
size_t rep_offset = start_rep - dbuffer; size_t rep_offset = start_rep - dbuffer;
@ -5630,12 +5643,22 @@ while ((c = *p++) != 0)
fprintf(outfile, "** Expected '{' after \\[....]\n"); fprintf(outfile, "** Expected '{' after \\[....]\n");
return PR_OK; return PR_OK;
} }
while (isdigit(*p)) i = i * 10 + *p++ - '0';
li = strtol((const char *)p, &endptr, 10);
if (S32OVERFLOW(li))
{
fprintf(outfile, "** Repeat count too large\n");
return PR_OK;
}
p = (uint8_t *)endptr;
if (*p++ != '}') if (*p++ != '}')
{ {
fprintf(outfile, "** Expected '}' after \\[...]{...\n"); fprintf(outfile, "** Expected '}' after \\[...]{...\n");
return PR_OK; return PR_OK;
} }
i = (int32_t)li;
if (i-- == 0) if (i-- == 0)
{ {
fprintf(outfile, "** Zero repeat not allowed\n"); fprintf(outfile, "** Zero repeat not allowed\n");

6
testdata/testinput2 vendored
View File

@ -4813,4 +4813,10 @@ a)"xI
\= Expect no match \= Expect no match
abc abc
/aaa/
\[abc]{10000000000000000000000000000}
\[a]{3}
/\[AB]{6000000000000000000000}/expand
# End of testinput2 # End of testinput2

View File

@ -15186,6 +15186,15 @@ Failed: error 122 at offset 10: unmatched closing parenthesis
0 ^ 0 0 ^ 0
No match No match
/aaa/
\[abc]{10000000000000000000000000000}
** Repeat count too large
\[a]{3}
0: aaa
/\[AB]{6000000000000000000000}/expand
** Pattern repeat count too large
# End of testinput2 # End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number) Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data Error -62: bad serialized data