Check for integer overflow in subroutine calls.
This commit is contained in:
parent
4c0414c813
commit
ff4553df08
|
@ -146,6 +146,8 @@ code for handling forward references was contorted and led to several errors in
|
||||||
computing the memory requirements for some patterns, leading to buffer
|
computing the memory requirements for some patterns, leading to buffer
|
||||||
overflows.
|
overflows.
|
||||||
|
|
||||||
|
37. There was no check for integer overflow in subroutine calls such as (?123).
|
||||||
|
|
||||||
|
|
||||||
Version 10.10 06-March-2015
|
Version 10.10 06-March-2015
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
|
@ -6483,8 +6483,16 @@ for (;; ptr++)
|
||||||
}
|
}
|
||||||
|
|
||||||
recno = 0;
|
recno = 0;
|
||||||
while(IS_DIGIT(*ptr))
|
while (IS_DIGIT(*ptr))
|
||||||
|
{
|
||||||
|
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
|
||||||
|
{
|
||||||
|
while (IS_DIGIT(*ptr)) ptr++;
|
||||||
|
*errorcodeptr = ERR61;
|
||||||
|
goto FAILED;
|
||||||
|
}
|
||||||
recno = recno * 10 + *ptr++ - CHAR_0;
|
recno = recno * 10 + *ptr++ - CHAR_0;
|
||||||
|
}
|
||||||
|
|
||||||
if (*ptr != (PCRE2_UCHAR)terminator)
|
if (*ptr != (PCRE2_UCHAR)terminator)
|
||||||
{
|
{
|
||||||
|
|
|
@ -4323,4 +4323,6 @@ a random value. /Ix
|
||||||
|
|
||||||
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
|
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
|
||||||
|
|
||||||
|
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
|
||||||
|
|
||||||
# End of testinput2
|
# End of testinput2
|
||||||
|
|
|
@ -14449,4 +14449,7 @@ Failed: error 162 at offset 4: subpattern name expected
|
||||||
|
|
||||||
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
|
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
|
||||||
|
|
||||||
|
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
|
||||||
|
Failed: error 161 at offset 32: number is too big
|
||||||
|
|
||||||
# End of testinput2
|
# End of testinput2
|
||||||
|
|
Loading…
Reference in New Issue