diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2011-11-22 11:23:43 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2011-11-22 11:23:43 +0000 |
commit | 3d74632d426e8db6d5cb93e4c3fa5048f9c44e0c (patch) | |
tree | 17cd2bc781176541ece399a5130c8ea3d07d2814 /pcre_compile.c | |
parent | 130da81a5142a5cef80543ae5b64167229c23432 (diff) | |
download | pcre-3d74632d426e8db6d5cb93e4c3fa5048f9c44e0c.tar.gz |
Test for workspace overflow with forward reference data.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@760 2f5784b3-3f2a-0410-8824-cb99058d5e15
Diffstat (limited to 'pcre_compile.c')
-rw-r--r-- | pcre_compile.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/pcre_compile.c b/pcre_compile.c index 4a63e69..a5c6cea 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -413,6 +413,7 @@ static const char error_texts[] = /* 70 */ "internal error: unknown opcode in find_fixedlength()\0" "\\N is not supported in a class\0" + "too many forward references\0" ; /* Table to identify digits and hex digits. This is used when compiling @@ -4895,6 +4896,11 @@ for (;; ptr++) memcpy(code, previous, len); for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE) { + if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK) + { + *errorcodeptr = ERR72; + goto FAILED; + } PUT(cd->hwm, 0, GET(hc, 0) + len); cd->hwm += LINK_SIZE; } @@ -4922,7 +4928,7 @@ for (;; ptr++) add 2 + 2*LINKSIZE to allow for the nesting that occurs. Do some paranoid checks to avoid integer overflow. The INT64_OR_DOUBLE type is a 64-bit integer type when available, otherwise double. */ - + if (lengthptr != NULL && repeat_max > 0) { int delta = repeat_max * (length_prevgroup + 1 + 2 + 2*LINK_SIZE) - @@ -4962,6 +4968,11 @@ for (;; ptr++) memcpy(code, previous, len); for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE) { + if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK) + { + *errorcodeptr = ERR72; + goto FAILED; + } PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1)); cd->hwm += LINK_SIZE; } @@ -5977,8 +5988,13 @@ for (;; ptr++) /* Fudge the value of "called" so that when it is inserted as an offset below, what it actually inserted is the reference number of the group. Then remember the forward reference. */ - + called = cd->start_code + recno; + if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK) + { + *errorcodeptr = ERR72; + goto FAILED; + } PUTINC(cd->hwm, 0, (int)(code + 1 - cd->start_code)); } |