[Pcre-svn] [1563] code/trunk: Add integer overflow check to …

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1563] code/trunk: Add integer overflow check to (?n) code.
Revision: 1563
          http://vcs.pcre.org/viewvc?view=rev&revision=1563
Author:   ph10
Date:     2015-06-08 18:55:54 +0100 (Mon, 08 Jun 2015)
Log Message:
-----------
Add integer overflow check to (?n) code.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/ChangeLog    2015-06-08 17:55:54 UTC (rev 1563)
@@ -39,6 +39,8 @@
     numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been 
     fixed by always allowing for more memory, even if not needed. (A proper fix 
     is implemented in PCRE2, but it involves more refactoring.) 
+    
+8.  There was no check for integer overflow in subroutine calls such as (?123).



Version 8.37 28-April-2015 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/pcre_compile.c    2015-06-08 17:55:54 UTC (rev 1563)
@@ -7353,7 +7353,15 @@


           recno = 0;
           while(IS_DIGIT(*ptr))
+            {
+            if (recno > INT_MAX / 10 - 1) /* Integer overflow */            
+              {                                                             
+              while (IS_DIGIT(*ptr)) ptr++;                                 
+              *errorcodeptr = ERR61;                                        
+              goto FAILED;                                                  
+              }
             recno = recno * 10 + *ptr++ - CHAR_0;
+            } 


           if (*ptr != (pcre_uchar)terminator)
             {


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/testdata/testinput2    2015-06-08 17:55:54 UTC (rev 1563)
@@ -4173,4 +4173,6 @@


"(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
/-- End of testinput2 --/ 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/testdata/testoutput2    2015-06-08 17:55:54 UTC (rev 1563)
@@ -14461,4 +14461,7 @@


"(?J:(?|(?'R')(\k'R')|((?'R'))))"

+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+Failed: number is too big at offset 32
+
/-- End of testinput2 --/
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [281] code/trunk: Check for integer overflow in subroutine calls.[Pcre-svn] [1564] code/trunk: Fix table entry for \l in EBCDIC environments.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)