Revision: 421
http://www.exim.org/viewvc/pcre2?view=rev&revision=421
Author: ph10
Date: 2015-11-09 18:45:15 +0000 (Mon, 09 Nov 2015)
Log Message:
-----------
Cap minimum length at 65535 and check for integer overflow.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_study.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-11-09 17:39:43 UTC (rev 420)
+++ code/trunk/ChangeLog 2015-11-09 18:45:15 UTC (rev 421)
@@ -275,7 +275,10 @@
80. Allow for the possibility of the size of the nest_save structure not being
a factor of the size of the compiling workspace (it currently is).
+81. Check for integer overflow in minimum length calculation and cap it at
+65535.
+
Version 10.20 30-June-2015
--------------------------
Modified: code/trunk/src/pcre2_study.c
===================================================================
--- code/trunk/src/pcre2_study.c 2015-11-09 17:39:43 UTC (rev 420)
+++ code/trunk/src/pcre2_study.c 2015-11-09 18:45:15 UTC (rev 421)
@@ -7,7 +7,7 @@
Written by Philip Hazel
Original API code Copyright (c) 1997-2012 University of Cambridge
- New API code Copyright (c) 2014 University of Cambridge
+ New API code Copyright (c) 2015 University of Cambridge
-----------------------------------------------------------------------------
Redistribution and use in source and binary forms, with or without
@@ -123,7 +123,7 @@
PCRE2_UCHAR *cs, *ce;
register PCRE2_UCHAR op = *cc;
- if (branchlength > UINT16_MAX) return branchlength;
+ if (branchlength >= UINT16_MAX) return UINT16_MAX;
switch (op)
{
@@ -562,7 +562,13 @@
break;
}
- branchlength += min * d;
+ /* Take care not to overflow: (1) min and d are ints, so check that their
+ product is not greater than INT_MAX. (2) branchlength is limited to
+ UINT16_MAX (checked at the top of the loop). */
+
+ if ((d > 0 && (INT_MAX/d) < min) || UINT16_MAX - branchlength < min*d)
+ branchlength = UINT16_MAX;
+ else branchlength += min * d;
break;
/* Recursion always refers to the first occurrence of a subpattern with a
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-11-09 17:39:43 UTC (rev 420)
+++ code/trunk/testdata/testinput2 2015-11-09 18:45:15 UTC (rev 421)
@@ -4631,4 +4631,8 @@
/\[()]{1024}/I,expand
+# Test minlength capped at 65535
+
+/(A{65000})\1{65000}/I
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-11-09 17:39:43 UTC (rev 420)
+++ code/trunk/testdata/testoutput2 2015-11-09 18:45:15 UTC (rev 421)
@@ -14743,4 +14743,13 @@
May match empty string
Subject length lower bound = 0
+# Test minlength capped at 65535
+
+/(A{65000})\1{65000}/I
+Capturing subpattern count = 1
+Max back reference = 1
+First code unit = 'A'
+Last code unit = 'A'
+Subject length lower bound = 65535
+
# End of testinput2
