[Pcre-svn] [281] code/trunk: Check for integer overflow in s…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [281] code/trunk: Check for integer overflow in subroutine calls.
Revision: 281
          http://www.exim.org/viewvc/pcre2?view=rev&revision=281
Author:   ph10
Date:     2015-06-08 18:51:54 +0100 (Mon, 08 Jun 2015)
Log Message:
-----------
Check for integer overflow in subroutine calls.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-06-03 17:18:06 UTC (rev 280)
+++ code/trunk/ChangeLog    2015-06-08 17:51:54 UTC (rev 281)
@@ -146,7 +146,9 @@
 computing the memory requirements for some patterns, leading to buffer 
 overflows.


+37. There was no check for integer overflow in subroutine calls such as (?123).

+
Version 10.10 06-March-2015
--------------------------- 


Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2015-06-03 17:18:06 UTC (rev 280)
+++ code/trunk/src/pcre2_compile.c    2015-06-08 17:51:54 UTC (rev 281)
@@ -6483,8 +6483,16 @@
             }


           recno = 0;
-          while(IS_DIGIT(*ptr))
+          while (IS_DIGIT(*ptr))
+            {
+            if (recno > INT_MAX / 10 - 1) /* Integer overflow */
+              {
+              while (IS_DIGIT(*ptr)) ptr++;
+              *errorcodeptr = ERR61;
+              goto FAILED;
+              }
             recno = recno * 10 + *ptr++ - CHAR_0;
+            } 


           if (*ptr != (PCRE2_UCHAR)terminator)
             {


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-06-03 17:18:06 UTC (rev 280)
+++ code/trunk/testdata/testinput2    2015-06-08 17:51:54 UTC (rev 281)
@@ -4323,4 +4323,6 @@


"(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
# End of testinput2 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-06-03 17:18:06 UTC (rev 280)
+++ code/trunk/testdata/testoutput2    2015-06-08 17:51:54 UTC (rev 281)
@@ -14449,4 +14449,7 @@


"(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+Failed: error 161 at offset 32: number is too big
+
# End of testinput2
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [280] code/trunk/testdata: Re-organize tests that didn' t work with LINK_SIZE=3.[Pcre-svn] [1563] code/trunk: Add integer overflow check to (?n) code.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)