Add missing integer overflow checks.

git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1589 2f5784b3-3f2a-0410-8824-cb99058d5e15
author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> 2015-08-10 14:19:06 +0000
committer: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> 2015-08-10 14:19:06 +0000
commit: b35246ac4badf9c2a99b21b214998361babd7afb (patch)
tree: cf42e1604470932447b8e9879df012abe12f65f7
parent: af3e8a7cb35c34366283fb6c81354a37045b251f (diff)
download: pcre-b35246ac4badf9c2a99b21b214998361babd7afb.tar.gz
4 files changed, 25 insertions, 0 deletions
diff --git a/ChangeLog b/ChangeLog
index 1059c83..024ec19 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -116,6 +116,10 @@ Version 8.38 xx-xxx-xxxx
 
 30. Error messages for syntax errors following \g and \k were giving inaccurate 
     offsets in the pattern.
+    
+31. Added a check for integer overflow in conditions (?(<digits>) and
+    (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
+    fuzzer.
 
 
 Version 8.37 28-April-2015
diff --git a/pcre_compile.c b/pcre_compile.c
index f65c156..09c8759 100644
--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -6769,6 +6769,12 @@ for (;; ptr++)
           {
           while (IS_DIGIT(*ptr))
             {
+            if (recno > INT_MAX / 10 - 1)  /* Integer overflow */              
+              {                                                             
+              while (IS_DIGIT(*ptr)) ptr++;                                 
+              *errorcodeptr = ERR61;                                        
+              goto FAILED; 
+              }
             recno = recno * 10 + (int)(*ptr - CHAR_0);
             ptr++;
             }
@@ -6903,6 +6909,11 @@ for (;; ptr++)
               *errorcodeptr = ERR15;
               goto FAILED;
               }
+            if (recno > INT_MAX / 10 - 1)   /* Integer overflow */          
+              {                                                                
+              *errorcodeptr = ERR61;                                        
+              goto FAILED;                                
+              }   
             recno = recno * 10 + name[i] - CHAR_0;
             }
           if (recno == 0) recno = RREF_ANY;
diff --git a/testdata/testinput2 b/testdata/testinput2
index 43e07fb..e79a7fd 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4199,4 +4199,8 @@ backtracking verbs. --/
 /0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/
     01
 
+/((?(R8000000000)))/ 
+
+/(?(8000000000/
+
 /-- End of testinput2 --/
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index f528f36..88950d7 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14543,4 +14543,10 @@ Need char = '0'
     01
 No match
 
+/((?(R8000000000)))/ 
+Failed: number is too big at offset 16
+
+/(?(8000000000/
+Failed: number is too big at offset 13
+
 /-- End of testinput2 --/
author	ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>	2015-08-10 14:19:06 +0000
committer	ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>	2015-08-10 14:19:06 +0000
commit	b35246ac4badf9c2a99b21b214998361babd7afb (patch)
tree	cf42e1604470932447b8e9879df012abe12f65f7
parent	af3e8a7cb35c34366283fb6c81354a37045b251f (diff)
download	pcre-b35246ac4badf9c2a99b21b214998361babd7afb.tar.gz