Check for integer overflow in subroutine calls.

2015-06-08 17:51:54 +00:00 · 2015-06-08 17:51:54 +00:00 · ff4553df08
parent 4c0414c813
commit ff4553df08
4 changed files with 16 additions and 1 deletions
--- a/2
+++ b/2
@ -146,6 +146,8 @@ code for handling forward references was contorted and led to several errors in
 computing the memory requirements for some patterns, leading to buffer 
 overflows.

+37. There was no check for integer overflow in subroutine calls such as (?123).
+

 Version 10.10 06-March-2015
 ---------------------------
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@ -6483,8 +6483,16 @@ for (;; ptr++)
            }

          recno = 0;
-          while(IS_DIGIT(*ptr))
+          while (IS_DIGIT(*ptr))
+            {
+            if (recno > INT_MAX / 10 - 1) /* Integer overflow */
+              {
+              while (IS_DIGIT(*ptr)) ptr++;
+              *errorcodeptr = ERR61;
+              goto FAILED;
+              }
            recno = recno * 10 + *ptr++ - CHAR_0;
+            } 

          if (*ptr != (PCRE2_UCHAR)terminator)
            {
--- a/testdata/testinput2
+++ b/testdata/testinput2
@ -4323,4 +4323,6 @@ a random value. /Ix

 "(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
 # End of testinput2 
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@ -14449,4 +14449,7 @@ Failed: error 162 at offset 4: subpattern name expected

 "(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+Failed: error 161 at offset 32: number is too big
+
 # End of testinput2