summaryrefslogtreecommitdiff
path: root/Userland/Libraries/LibRegex
diff options
context:
space:
mode:
authorAli Mohammad Pur <ali.mpfard@gmail.com>2021-07-13 02:13:17 +0430
committerGunnar Beutner <gunnar@beutner.name>2021-07-13 07:04:06 +0200
commit189922f44291d83a4f5aa8df988f85fd63d6f461 (patch)
treeb468b58c07b275814729d6c9304be8f21bdd00b6 /Userland/Libraries/LibRegex
parentf9fed0b16712c05a13ad1a89a781e88609a53639 (diff)
downloadserenity-189922f44291d83a4f5aa8df988f85fd63d6f461.zip
LibRegex: Disallow excessively large repetition counts in {B,E}RE
Diffstat (limited to 'Userland/Libraries/LibRegex')
-rw-r--r--Userland/Libraries/LibRegex/RegexParser.cpp13
1 files changed, 12 insertions, 1 deletions
diff --git a/Userland/Libraries/LibRegex/RegexParser.cpp b/Userland/Libraries/LibRegex/RegexParser.cpp
index b2b7c19f6d..340b360c14 100644
--- a/Userland/Libraries/LibRegex/RegexParser.cpp
+++ b/Userland/Libraries/LibRegex/RegexParser.cpp
@@ -13,6 +13,8 @@
namespace regex {
+static constexpr size_t s_maximum_repetition_count = 1024 * 1024;
+
ALWAYS_INLINE bool Parser::set_error(Error error)
{
if (m_parser_state.error == Error::NoError) {
@@ -395,6 +397,12 @@ bool PosixBasicParser::parse_simple_re(ByteCode& bytecode, size_t& match_length_
if (!try_skip("\\}"))
return set_error(Error::MismatchingBrace);
+ if (max_limit.value_or(min_limit) < min_limit)
+ return set_error(Error::InvalidBraceContent);
+
+ if (min_limit > s_maximum_repetition_count || (max_limit.has_value() && *max_limit > s_maximum_repetition_count))
+ return set_error(Error::InvalidBraceContent);
+
ByteCode::transform_bytecode_repetition_min_max(simple_re_bytecode, min_limit, max_limit, true);
match_length_minimum += re_match_length_minimum * min_limit;
} else {
@@ -533,6 +541,9 @@ ALWAYS_INLINE bool PosixExtendedParser::parse_repetition_symbol(ByteCode& byteco
auto minimum = maybe_minimum.value();
match_length_minimum *= minimum;
+ if (minimum > s_maximum_repetition_count)
+ return set_error(Error::InvalidBraceContent);
+
if (match(TokenType::Comma)) {
consume();
} else {
@@ -551,7 +562,7 @@ ALWAYS_INLINE bool PosixExtendedParser::parse_repetition_symbol(ByteCode& byteco
}
if (!number_builder.is_empty()) {
auto value = number_builder.build().to_uint();
- if (!value.has_value() || minimum > value.value())
+ if (!value.has_value() || minimum > value.value() || *value > s_maximum_repetition_count)
return set_error(Error::InvalidBraceContent);
maybe_maximum = value.value();
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-16 18:49:16 +0000