diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-08-10 14:19:06 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-08-10 14:19:06 +0000 |
commit | b35246ac4badf9c2a99b21b214998361babd7afb (patch) | |
tree | cf42e1604470932447b8e9879df012abe12f65f7 | |
parent | af3e8a7cb35c34366283fb6c81354a37045b251f (diff) | |
download | pcre-b35246ac4badf9c2a99b21b214998361babd7afb.tar.gz |
Add missing integer overflow checks.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1589 2f5784b3-3f2a-0410-8824-cb99058d5e15
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | pcre_compile.c | 11 | ||||
-rw-r--r-- | testdata/testinput2 | 4 | ||||
-rw-r--r-- | testdata/testoutput2 | 6 |
4 files changed, 25 insertions, 0 deletions
@@ -116,6 +116,10 @@ Version 8.38 xx-xxx-xxxx 30. Error messages for syntax errors following \g and \k were giving inaccurate offsets in the pattern. + +31. Added a check for integer overflow in conditions (?(<digits>) and + (?(R<digits>). This omission was discovered by Karl Skomski with the LLVM + fuzzer. Version 8.37 28-April-2015 diff --git a/pcre_compile.c b/pcre_compile.c index f65c156..09c8759 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -6769,6 +6769,12 @@ for (;; ptr++) { while (IS_DIGIT(*ptr)) { + if (recno > INT_MAX / 10 - 1) /* Integer overflow */ + { + while (IS_DIGIT(*ptr)) ptr++; + *errorcodeptr = ERR61; + goto FAILED; + } recno = recno * 10 + (int)(*ptr - CHAR_0); ptr++; } @@ -6903,6 +6909,11 @@ for (;; ptr++) *errorcodeptr = ERR15; goto FAILED; } + if (recno > INT_MAX / 10 - 1) /* Integer overflow */ + { + *errorcodeptr = ERR61; + goto FAILED; + } recno = recno * 10 + name[i] - CHAR_0; } if (recno == 0) recno = RREF_ANY; diff --git a/testdata/testinput2 b/testdata/testinput2 index 43e07fb..e79a7fd 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4199,4 +4199,8 @@ backtracking verbs. --/ /0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/ 01 +/((?(R8000000000)))/ + +/(?(8000000000/ + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index f528f36..88950d7 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14543,4 +14543,10 @@ Need char = '0' 01 No match +/((?(R8000000000)))/ +Failed: number is too big at offset 16 + +/(?(8000000000/ +Failed: number is too big at offset 13 + /-- End of testinput2 --/ |