Revision: 1563
http://vcs.pcre.org/viewvc?view=rev&revision=1563
Author: ph10
Date: 2015-06-08 18:55:54 +0100 (Mon, 08 Jun 2015)
Log Message:
-----------
Add integer overflow check to (?n) code.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/ChangeLog 2015-06-08 17:55:54 UTC (rev 1563)
@@ -39,6 +39,8 @@
numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been
fixed by always allowing for more memory, even if not needed. (A proper fix
is implemented in PCRE2, but it involves more refactoring.)
+
+8. There was no check for integer overflow in subroutine calls such as (?123).
Version 8.37 28-April-2015
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/pcre_compile.c 2015-06-08 17:55:54 UTC (rev 1563)
@@ -7353,7 +7353,15 @@
recno = 0;
while(IS_DIGIT(*ptr))
+ {
+ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
+ {
+ while (IS_DIGIT(*ptr)) ptr++;
+ *errorcodeptr = ERR61;
+ goto FAILED;
+ }
recno = recno * 10 + *ptr++ - CHAR_0;
+ }
if (*ptr != (pcre_uchar)terminator)
{
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/testdata/testinput2 2015-06-08 17:55:54 UTC (rev 1563)
@@ -4173,4 +4173,6 @@
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-06-03 16:51:59 UTC (rev 1562)
+++ code/trunk/testdata/testoutput2 2015-06-08 17:55:54 UTC (rev 1563)
@@ -14461,4 +14461,7 @@
"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+Failed: number is too big at offset 32
+
/-- End of testinput2 --/