From ff4553df080449b2efd4bb620670e3b444ad7b98 Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Mon, 8 Jun 2015 17:51:54 +0000 Subject: [PATCH] Check for integer overflow in subroutine calls. --- ChangeLog | 2 ++ src/pcre2_compile.c | 10 +++++++++- testdata/testinput2 | 2 ++ testdata/testoutput2 | 3 +++ 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ChangeLog b/ChangeLog index 81fd92e..37e4c96 100644 --- a/ChangeLog +++ b/ChangeLog @@ -146,6 +146,8 @@ code for handling forward references was contorted and led to several errors in computing the memory requirements for some patterns, leading to buffer overflows. +37. There was no check for integer overflow in subroutine calls such as (?123). + Version 10.10 06-March-2015 --------------------------- diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index 8cd88c3..3855b85 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -6483,8 +6483,16 @@ for (;; ptr++) } recno = 0; - while(IS_DIGIT(*ptr)) + while (IS_DIGIT(*ptr)) + { + if (recno > INT_MAX / 10 - 1) /* Integer overflow */ + { + while (IS_DIGIT(*ptr)) ptr++; + *errorcodeptr = ERR61; + goto FAILED; + } recno = recno * 10 + *ptr++ - CHAR_0; + } if (*ptr != (PCRE2_UCHAR)terminator) { diff --git a/testdata/testinput2 b/testdata/testinput2 index 90d8338..70cfc06 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4323,4 +4323,6 @@ a random value. /Ix "(?J:(?|(?'R')(\k'R')|((?'R'))))" +/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ + # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 91bead4..7de0b8a 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14449,4 +14449,7 @@ Failed: error 162 at offset 4: subpattern name expected "(?J:(?|(?'R')(\k'R')|((?'R'))))" +/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/ +Failed: error 161 at offset 32: number is too big + # End of testinput2