Revision: 544
http://www.exim.org/viewvc/pcre2?view=rev&revision=544
Author: ph10
Date: 2016-07-06 09:42:50 +0100 (Wed, 06 Jul 2016)
Log Message:
-----------
Detect overflow in pcre2test pattern and subject repetition counts.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2test.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-07-03 15:21:01 UTC (rev 543)
+++ code/trunk/ChangeLog 2016-07-06 08:42:50 UTC (rev 544)
@@ -168,7 +168,9 @@
42. Fix register overwite in JIT when SSE2 acceleration is enabled.
+43. Detect integer overflow in pcre2test pattern and data repetition counts.
+
Version 10.21 12-January-2016
-----------------------------
Modified: code/trunk/src/pcre2test.c
===================================================================
--- code/trunk/src/pcre2test.c 2016-07-03 15:21:01 UTC (rev 543)
+++ code/trunk/src/pcre2test.c 2016-07-06 08:42:50 UTC (rev 544)
@@ -4618,8 +4618,19 @@
{
uint32_t clen = pe - pc - 2;
uint32_t i = 0;
+ unsigned long uli;
+ char *endptr;
+
pe += 2;
- while (isdigit(*pe)) i = i * 10 + *pe++ - '0';
+ uli = strtoul((const char *)pe, &endptr, 10);
+ if (U32OVERFLOW(uli))
+ {
+ fprintf(outfile, "** Pattern repeat count too large\n");
+ return PR_SKIP;
+ }
+
+ i = (uint32_t)uli;
+ pe = (uint8_t *)endptr;
if (*pe == '}')
{
if (i == 0)
@@ -5615,7 +5626,7 @@
while ((c = *p++) != 0)
{
- int i = 0;
+ int32_t i = 0;
size_t replen;
/* ] may mark the end of a replicated sequence */
@@ -5622,6 +5633,8 @@
if (c == ']' && start_rep != NULL)
{
+ long li;
+ char *endptr;
size_t qoffset = CAST8VAR(q) - dbuffer;
size_t rep_offset = start_rep - dbuffer;
@@ -5630,12 +5643,22 @@
fprintf(outfile, "** Expected '{' after \\[....]\n");
return PR_OK;
}
- while (isdigit(*p)) i = i * 10 + *p++ - '0';
+
+ li = strtol((const char *)p, &endptr, 10);
+ if (S32OVERFLOW(li))
+ {
+ fprintf(outfile, "** Repeat count too large\n");
+ return PR_OK;
+ }
+
+ p = (uint8_t *)endptr;
if (*p++ != '}')
{
fprintf(outfile, "** Expected '}' after \\[...]{...\n");
return PR_OK;
}
+
+ i = (int32_t)li;
if (i-- == 0)
{
fprintf(outfile, "** Zero repeat not allowed\n");
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2016-07-03 15:21:01 UTC (rev 543)
+++ code/trunk/testdata/testinput2 2016-07-06 08:42:50 UTC (rev 544)
@@ -4813,4 +4813,10 @@
\= Expect no match
abc
+/aaa/
+\[abc]{10000000000000000000000000000}
+\[a]{3}
+
+/\[AB]{6000000000000000000000}/expand
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2016-07-03 15:21:01 UTC (rev 543)
+++ code/trunk/testdata/testoutput2 2016-07-06 08:42:50 UTC (rev 544)
@@ -15186,6 +15186,15 @@
0 ^ 0
No match
+/aaa/
+\[abc]{10000000000000000000000000000}
+** Repeat count too large
+\[a]{3}
+ 0: aaa
+
+/\[AB]{6000000000000000000000}/expand
+** Pattern repeat count too large
+
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data
