[Pcre-svn] [385] code/trunk: Fix integer overflow for patter…

Top Page
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [385] code/trunk: Fix integer overflow for patterns whose minimum matching length is very, very
Revision: 385
          http://www.exim.org/viewvc/pcre2?view=rev&revision=385
Author:   ph10
Date:     2015-10-09 17:54:29 +0100 (Fri, 09 Oct 2015)
Log Message:
-----------
Fix integer overflow for patterns whose minimum matching length is very, very 
large.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_study.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-10-09 16:06:53 UTC (rev 384)
+++ code/trunk/ChangeLog    2015-10-09 16:54:29 UTC (rev 385)
@@ -198,7 +198,10 @@
 ("not a word character") and a property escape were present, the property 
 escape was being ignored.


+57. Fixed integer overflow for patterns whose minimum matching length is very,
+very large.

+
Version 10.20 30-June-2015
--------------------------


Modified: code/trunk/src/pcre2_study.c
===================================================================
--- code/trunk/src/pcre2_study.c    2015-10-09 16:06:53 UTC (rev 384)
+++ code/trunk/src/pcre2_study.c    2015-10-09 16:54:29 UTC (rev 385)
@@ -65,8 +65,11 @@


/* Scan a parenthesized group and compute the minimum length of subject that
is needed to match it. This is a lower bound; it does not mean there is a
-string of that length that matches. In UTF8 mode, the result is in characters
-rather than bytes.
+string of that length that matches. In UTF mode, the result is in characters
+rather than code units. The field in a compiled pattern for storing the minimum
+length is 16-bits long (on the grounds that anything longer than that is
+pathological), so we give up when we reach that amount. This also means that
+integer overflow for really crazy patterns cannot happen.

 Arguments:
   re              compiled pattern block
@@ -111,7 +114,8 @@
     *code == OP_CBRAPOS || *code == OP_SCBRAPOS) cc += IMM2_SIZE;


/* Scan along the opcodes for this branch. If we get to the end of the
-branch, check the length against that of the other branches. */
+branch, check the length against that of the other branches. If the accumulated
+length passes 16-bits, stop and return it. */

for (;;)
{
@@ -119,6 +123,8 @@
PCRE2_UCHAR *cs, *ce;
register PCRE2_UCHAR op = *cc;

+  if (branchlength > UINT16_MAX) return branchlength;
+
   switch (op)
     {
     case OP_COND:


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-10-09 16:06:53 UTC (rev 384)
+++ code/trunk/testdata/testinput2    2015-10-09 16:54:29 UTC (rev 385)
@@ -4590,4 +4590,6 @@
 /(aa)(BB)/substitute_extended,replace=\U$1\L$2\E$1..\U$1\l$2$1
     aaBB


+/^(o(\1{72}{\"{\\{00000059079}\d*){74}}){19}/I
+
# End of testinput2

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-10-09 16:06:53 UTC (rev 384)
+++ code/trunk/testdata/testoutput2    2015-10-09 16:54:29 UTC (rev 385)
@@ -14741,4 +14741,12 @@
     aaBB
  1: AAbbaa..AAbBaa


+/^(o(\1{72}{\"{\\{00000059079}\d*){74}}){19}/I
+Capturing subpattern count = 2
+Max back reference = 1
+Compile options: <none>
+Overall options: anchored
+Last code unit = '}'
+Subject length lower bound = 65535
+
# End of testinput2