[Pcre-svn] [334] code/trunk: Add missing integer overflow ch…

トップ ページ
このメッセージは次のスレッドの一部です:
M日付によるスレッドの仕分け
M 
Subversion repository 、 ->
このメッセージを削除
著者: Subversion repository
日付:  
To: pcre-svn
題目: [Pcre-svn] [334] code/trunk: Add missing integer overflow checks.
Revision: 334
          http://www.exim.org/viewvc/pcre2?view=rev&revision=334
Author:   ph10
Date:     2015-08-04 10:13:11 +0100 (Tue, 04 Aug 2015)
Log Message:
-----------
Add missing integer overflow checks.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/ChangeLog    2015-08-04 09:13:11 UTC (rev 334)
@@ -98,7 +98,11 @@
 match" errors. For such patterns, a minimum matching length cannot at present 
 be computed.


+26. Added a check for integer overflow in conditions (?(<digits>) and
+(?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
+fuzzer.

+
Version 10.20 30-June-2015
-------------------------- 


Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/src/pcre2_compile.c    2015-08-04 09:13:11 UTC (rev 334)
@@ -5954,6 +5954,12 @@
           {
           while (IS_DIGIT(*ptr))
             {
+            if (recno > INT_MAX / 10 - 1)  /* Integer overflow */
+              {
+              while (IS_DIGIT(*ptr)) ptr++;
+              *errorcodeptr = ERR61;
+              goto FAILED;   
+              }   
             recno = recno * 10 + (int)(*ptr - CHAR_0);
             ptr++;
             }
@@ -6089,9 +6095,14 @@
             {
             if (!IS_DIGIT(name[i]))
               {
-              *errorcodeptr = ERR15;
+              *errorcodeptr = ERR15;        /* Non-existent subpattern */
               goto FAILED;
               }
+            if (recno > INT_MAX / 10 - 1)   /* Integer overflow */
+              {
+              *errorcodeptr = ERR61;
+              goto FAILED;   
+              }     
             recno = recno * 10 + name[i] - CHAR_0;
             }
           if (recno == 0) recno = RREF_ANY;


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/testdata/testinput2    2015-08-04 09:13:11 UTC (rev 334)
@@ -4408,4 +4408,8 @@
 /.*?a(*SKIP)b/
     aab


+/(?(8000000000/
+
+/((?(R8000000000)))/
+
# End of testinput2 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-08-03 17:25:55 UTC (rev 333)
+++ code/trunk/testdata/testoutput2    2015-08-04 09:13:11 UTC (rev 334)
@@ -14661,4 +14661,10 @@
     aab
  0: ab


+/(?(8000000000/
+Failed: error 161 at offset 13: number is too big
+
+/((?(R8000000000)))/
+Failed: error 161 at offset 16: number is too big
+
# End of testinput2
このメッセージは次のメーリングリストに投稿されました:
Pcre-svn
メーリングリスト情報 | となりのメッセージ		<-[Pcre-svn] [333] code/trunk: Maintenance on tests for Perl compatibility[Pcre-svn] [335] code/trunk: Fixed an issue when \p{Any} inside an xclass did not read the current character.->
Tahini and Hummus and Cumin Development Archives サイト管理人: cumin AdminsLurker (バージョン 2.3)