Revision: 334
http://www.exim.org/viewvc/pcre2?view=rev&revision=334
Author: ph10
Date: 2015-08-04 10:13:11 +0100 (Tue, 04 Aug 2015)
Log Message:
-----------
Add missing integer overflow checks.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/ChangeLog 2015-08-04 09:13:11 UTC (rev 334)
@@ -98,7 +98,11 @@
match" errors. For such patterns, a minimum matching length cannot at present
be computed.
+26. Added a check for integer overflow in conditions (?(<digits>) and
+(?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
+fuzzer.
+
Version 10.20 30-June-2015
--------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/src/pcre2_compile.c 2015-08-04 09:13:11 UTC (rev 334)
@@ -5954,6 +5954,12 @@
{
while (IS_DIGIT(*ptr))
{
+ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
+ {
+ while (IS_DIGIT(*ptr)) ptr++;
+ *errorcodeptr = ERR61;
+ goto FAILED;
+ }
recno = recno * 10 + (int)(*ptr - CHAR_0);
ptr++;
}
@@ -6089,9 +6095,14 @@
{
if (!IS_DIGIT(name[i]))
{
- *errorcodeptr = ERR15;
+ *errorcodeptr = ERR15; /* Non-existent subpattern */
goto FAILED;
}
+ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
+ {
+ *errorcodeptr = ERR61;
+ goto FAILED;
+ }
recno = recno * 10 + name[i] - CHAR_0;
}
if (recno == 0) recno = RREF_ANY;
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/testdata/testinput2 2015-08-04 09:13:11 UTC (rev 334)
@@ -4408,4 +4408,8 @@
/.*?a(*SKIP)b/
aab
+/(?(8000000000/
+
+/((?(R8000000000)))/
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/testdata/testoutput2 2015-08-04 09:13:11 UTC (rev 334)
@@ -14661,4 +14661,10 @@
aab
0: ab
+/(?(8000000000/
+Failed: error 161 at offset 13: number is too big
+
+/((?(R8000000000)))/
+Failed: error 161 at offset 16: number is too big
+
# End of testinput2