Check for too many replacements (more than INT_MAX) in pcre2_substitute()

This commit is contained in:
Philip.Hazel 2015-11-11 18:35:14 +00:00
parent ccfd31cda2
commit 9c5958fbe6
5 changed files with 16 additions and 0 deletions

View File

@ -288,6 +288,8 @@ a factor of the size of the compiling workspace (it currently is).
84. Test for error code <= 0 in regerror(). 84. Test for error code <= 0 in regerror().
85. Check for too many replacements (more than INT_MAX) in pcre2_substitute().
Version 10.20 30-June-2015 Version 10.20 30-June-2015
-------------------------- --------------------------

View File

@ -241,6 +241,7 @@ numbers must not be changed. */
#define PCRE2_ERROR_REPMISSINGBRACE (-58) #define PCRE2_ERROR_REPMISSINGBRACE (-58)
#define PCRE2_ERROR_BADSUBSTITUTION (-59) #define PCRE2_ERROR_BADSUBSTITUTION (-59)
#define PCRE2_ERROR_BADSUBSPATTERN (-60) #define PCRE2_ERROR_BADSUBSPATTERN (-60)
#define PCRE2_ERROR_TOOMANYREPLACE (-61)
/* Request types for pcre2_pattern_info() */ /* Request types for pcre2_pattern_info() */

View File

@ -241,6 +241,7 @@ numbers must not be changed. */
#define PCRE2_ERROR_REPMISSINGBRACE (-58) #define PCRE2_ERROR_REPMISSINGBRACE (-58)
#define PCRE2_ERROR_BADSUBSTITUTION (-59) #define PCRE2_ERROR_BADSUBSTITUTION (-59)
#define PCRE2_ERROR_BADSUBSPATTERN (-60) #define PCRE2_ERROR_BADSUBSPATTERN (-60)
#define PCRE2_ERROR_TOOMANYREPLACE (-61)
/* Request types for pcre2_pattern_info() */ /* Request types for pcre2_pattern_info() */

View File

@ -251,6 +251,7 @@ static const char match_error_texts[] =
"bad substitution in replacement string\0" "bad substitution in replacement string\0"
/* 60 */ /* 60 */
"match with end before start is not supported\0" "match with end before start is not supported\0"
"too many replacements (more than INT_MAX)\0"
; ;

View File

@ -329,6 +329,17 @@ do
goto EXIT; goto EXIT;
} }
/* Paranoid check for integer overflow; surely no real call to this function
would ever hit this! */
if (subs == INT_MAX)
{
rc = PCRE2_ERROR_TOOMANYREPLACE;
goto EXIT;
}
/* Count substitutions and proceed */
subs++; subs++;
if (rc == 0) rc = ovector_count; if (rc == 0) rc = ovector_count;
fraglength = ovector[0] - start_offset; fraglength = ovector[0] - start_offset;