Add missing integer overflow checks.
This commit is contained in:
parent
76a2e62669
commit
b89a448d8d
|
@ -98,6 +98,10 @@ minimum matching length gave a wrong result, which could cause incorrect "no
|
||||||
match" errors. For such patterns, a minimum matching length cannot at present
|
match" errors. For such patterns, a minimum matching length cannot at present
|
||||||
be computed.
|
be computed.
|
||||||
|
|
||||||
|
26. Added a check for integer overflow in conditions (?(<digits>) and
|
||||||
|
(?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
|
||||||
|
fuzzer.
|
||||||
|
|
||||||
|
|
||||||
Version 10.20 30-June-2015
|
Version 10.20 30-June-2015
|
||||||
--------------------------
|
--------------------------
|
||||||
|
|
|
@ -5954,6 +5954,12 @@ for (;; ptr++)
|
||||||
{
|
{
|
||||||
while (IS_DIGIT(*ptr))
|
while (IS_DIGIT(*ptr))
|
||||||
{
|
{
|
||||||
|
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
|
||||||
|
{
|
||||||
|
while (IS_DIGIT(*ptr)) ptr++;
|
||||||
|
*errorcodeptr = ERR61;
|
||||||
|
goto FAILED;
|
||||||
|
}
|
||||||
recno = recno * 10 + (int)(*ptr - CHAR_0);
|
recno = recno * 10 + (int)(*ptr - CHAR_0);
|
||||||
ptr++;
|
ptr++;
|
||||||
}
|
}
|
||||||
|
@ -6089,7 +6095,12 @@ for (;; ptr++)
|
||||||
{
|
{
|
||||||
if (!IS_DIGIT(name[i]))
|
if (!IS_DIGIT(name[i]))
|
||||||
{
|
{
|
||||||
*errorcodeptr = ERR15;
|
*errorcodeptr = ERR15; /* Non-existent subpattern */
|
||||||
|
goto FAILED;
|
||||||
|
}
|
||||||
|
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
|
||||||
|
{
|
||||||
|
*errorcodeptr = ERR61;
|
||||||
goto FAILED;
|
goto FAILED;
|
||||||
}
|
}
|
||||||
recno = recno * 10 + name[i] - CHAR_0;
|
recno = recno * 10 + name[i] - CHAR_0;
|
||||||
|
|
|
@ -4408,4 +4408,8 @@ a random value. /Ix
|
||||||
/.*?a(*SKIP)b/
|
/.*?a(*SKIP)b/
|
||||||
aab
|
aab
|
||||||
|
|
||||||
|
/(?(8000000000/
|
||||||
|
|
||||||
|
/((?(R8000000000)))/
|
||||||
|
|
||||||
# End of testinput2
|
# End of testinput2
|
||||||
|
|
|
@ -14661,4 +14661,10 @@ No match
|
||||||
aab
|
aab
|
||||||
0: ab
|
0: ab
|
||||||
|
|
||||||
|
/(?(8000000000/
|
||||||
|
Failed: error 161 at offset 13: number is too big
|
||||||
|
|
||||||
|
/((?(R8000000000)))/
|
||||||
|
Failed: error 161 at offset 16: number is too big
|
||||||
|
|
||||||
# End of testinput2
|
# End of testinput2
|
||||||
|
|
Loading…
Reference in New Issue