From 7de023237f950117cf4549d100796a410e3f806e Mon Sep 17 00:00:00 2001 From: jzmaddock Date: Thu, 19 Oct 2017 18:23:43 +0100 Subject: [PATCH] Regex: Add a hard limit on the number of nested parenthesis allowed. Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=3471#c2. --- include/boost/regex/v4/basic_regex_parser.hpp | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/include/boost/regex/v4/basic_regex_parser.hpp b/include/boost/regex/v4/basic_regex_parser.hpp index ce4abf7c..86575c4b 100644 --- a/include/boost/regex/v4/basic_regex_parser.hpp +++ b/include/boost/regex/v4/basic_regex_parser.hpp @@ -105,6 +105,7 @@ private: std::ptrdiff_t m_paren_start; // where the last seen ')' began (where repeats are inserted). std::ptrdiff_t m_alt_insert_point; // where to insert the next alternative bool m_has_case_change; // true if somewhere in the current block the case has changed + unsigned m_recursion_count; // How many times we've called parse_all. #if defined(BOOST_MSVC) && defined(_M_IX86) // This is an ugly warning suppression workaround (for warnings *inside* std::vector // that can not otherwise be suppressed)... @@ -120,7 +121,7 @@ private: template basic_regex_parser::basic_regex_parser(regex_data* data) - : basic_regex_creator(data), m_mark_count(0), m_mark_reset(-1), m_max_mark(0), m_paren_start(0), m_alt_insert_point(0), m_has_case_change(false) + : basic_regex_creator(data), m_mark_count(0), m_mark_reset(-1), m_max_mark(0), m_paren_start(0), m_alt_insert_point(0), m_has_case_change(false), m_recursion_count(0) { } @@ -245,11 +246,17 @@ void basic_regex_parser::fail(regex_constants::error_type error_c template bool basic_regex_parser::parse_all() { + if (++m_recursion_count > 400) + { + // exceeded internal limits + fail(boost::regex_constants::error_complexity, m_position - m_base, "Exceeded nested brace limit."); + } bool result = true; while(result && (m_position != m_end)) { result = (this->*m_parser_proc)(); } + --m_recursion_count; return result; }