Check for integer overflow in subroutine calls.

This commit is contained in:
Philip.Hazel 2015-06-08 17:51:54 +00:00
parent 4c0414c813
commit ff4553df08
4 changed files with 16 additions and 1 deletions

View File

@ -146,6 +146,8 @@ code for handling forward references was contorted and led to several errors in
computing the memory requirements for some patterns, leading to buffer
overflows.
37. There was no check for integer overflow in subroutine calls such as (?123).
Version 10.10 06-March-2015
---------------------------

View File

@ -6484,7 +6484,15 @@ for (;; ptr++)
recno = 0;
while (IS_DIGIT(*ptr))
{
if (recno > INT_MAX / 10 - 1) /* Integer overflow */
{
while (IS_DIGIT(*ptr)) ptr++;
*errorcodeptr = ERR61;
goto FAILED;
}
recno = recno * 10 + *ptr++ - CHAR_0;
}
if (*ptr != (PCRE2_UCHAR)terminator)
{

2
testdata/testinput2 vendored
View File

@ -4323,4 +4323,6 @@ a random value. /Ix
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
# End of testinput2

View File

@ -14449,4 +14449,7 @@ Failed: error 162 at offset 4: subpattern name expected
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
Failed: error 161 at offset 32: number is too big
# End of testinput2