Add missing integer overflow checks.

This commit is contained in:
Philip.Hazel 2015-08-04 09:13:11 +00:00
parent 76a2e62669
commit b89a448d8d
4 changed files with 26 additions and 1 deletions

View File

@ -98,6 +98,10 @@ minimum matching length gave a wrong result, which could cause incorrect "no
match" errors. For such patterns, a minimum matching length cannot at present
be computed.
26. Added a check for integer overflow in conditions (?(<digits>) and
(?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
fuzzer.
Version 10.20 30-June-2015
--------------------------

View File

@ -5954,6 +5954,12 @@ for (;; ptr++)
{
while (IS_DIGIT(*ptr))
{
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
{
while (IS_DIGIT(*ptr)) ptr++;
*errorcodeptr = ERR61;
goto FAILED;
}
recno = recno * 10 + (int)(*ptr - CHAR_0);
ptr++;
}
@ -6089,7 +6095,12 @@ for (;; ptr++)
{
if (!IS_DIGIT(name[i]))
{
*errorcodeptr = ERR15;
*errorcodeptr = ERR15; /* Non-existent subpattern */
goto FAILED;
}
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
{
*errorcodeptr = ERR61;
goto FAILED;
}
recno = recno * 10 + name[i] - CHAR_0;

4
testdata/testinput2 vendored
View File

@ -4408,4 +4408,8 @@ a random value. /Ix
/.*?a(*SKIP)b/
aab
/(?(8000000000/
/((?(R8000000000)))/
# End of testinput2

View File

@ -14661,4 +14661,10 @@ No match
aab
0: ab
/(?(8000000000/
Failed: error 161 at offset 13: number is too big
/((?(R8000000000)))/
Failed: error 161 at offset 16: number is too big
# End of testinput2