[Pcre-svn] [1589] code/trunk: Add missing integer overflow checks.

Author: Subversion repository
Date:
To: pcre-svn
Subject: [Pcre-svn] [1589] code/trunk: Add missing integer overflow checks.

Revision: 1589

          http://vcs.pcre.org/viewvc?view=rev&revision=1589
Author:   ph10
Date:     2015-08-10 15:19:06 +0100 (Mon, 10 Aug 2015)
Log Message:
-----------
Add missing integer overflow checks.

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2

Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-08-10 14:09:19 UTC (rev 1588)
+++ code/trunk/ChangeLog    2015-08-10 14:19:06 UTC (rev 1589)
@@ -116,6 +116,10 @@

 30. Error messages for syntax errors following \g and \k were giving inaccurate 
     offsets in the pattern.
+    
+31. Added a check for integer overflow in conditions (?(<digits>) and
+    (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
+    fuzzer.

Version 8.37 28-April-2015

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-08-10 14:09:19 UTC (rev 1588)
+++ code/trunk/pcre_compile.c    2015-08-10 14:19:06 UTC (rev 1589)
@@ -6769,6 +6769,12 @@
           {
           while (IS_DIGIT(*ptr))
             {
+            if (recno > INT_MAX / 10 - 1)  /* Integer overflow */              
+              {                                                             
+              while (IS_DIGIT(*ptr)) ptr++;                                 
+              *errorcodeptr = ERR61;                                        
+              goto FAILED; 
+              }
             recno = recno * 10 + (int)(*ptr - CHAR_0);
             ptr++;
             }
@@ -6903,6 +6909,11 @@
               *errorcodeptr = ERR15;
               goto FAILED;
               }
+            if (recno > INT_MAX / 10 - 1)   /* Integer overflow */          
+              {                                                                
+              *errorcodeptr = ERR61;                                        
+              goto FAILED;                                
+              }   
             recno = recno * 10 + name[i] - CHAR_0;
             }
           if (recno == 0) recno = RREF_ANY;

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-08-10 14:09:19 UTC (rev 1588)
+++ code/trunk/testdata/testinput2    2015-08-10 14:19:06 UTC (rev 1589)
@@ -4199,4 +4199,8 @@
 /0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/
     01

+/((?(R8000000000)))/
+
+/(?(8000000000/
+
/-- End of testinput2 --/

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-08-10 14:09:19 UTC (rev 1588)
+++ code/trunk/testdata/testoutput2    2015-08-10 14:19:06 UTC (rev 1589)
@@ -14543,4 +14543,10 @@
     01
 No match

+/((?(R8000000000)))/
+Failed: number is too big at offset 16
+
+/(?(8000000000/
+Failed: number is too big at offset 13
+
/-- End of testinput2 --/

This message is part of the following thread:
	the complete thread tree sorted by date
	Subversion repository at

[Pcre-svn] [1589] code/trunk: Add missing integer overflow c…