boostorg/regex
1
0
Fork 1
mirror of https://github.com/boostorg/regex.git synced 2025-07-22 16:47:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

De-Fuzz: Fixes for issues 0 and 3 from #12818:

Browse Source 
Prevent left shifting by more bits than there are in type unsigned, and
Check that alternative points to a valid state before accessing it: we may not have constructed that state yet in a fail situation.
This commit is contained in:
jzmaddock
2017-02-12 19:57:35 +00:00
parent 7b9b5ee181
commit 8337584087
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
include/boost/regex/v4/basic_regex_parser.hpp
View File

@ -901,7 +901,7 @@ escape_type_class_jump:
}
if(negative)
i = 1 + m_mark_count - i;
if(((i > 0) && (this->m_backrefs & (1u << (i-1)))) || ((i > 10000) && (this->m_pdata->get_id(i) > 0) && (this->m_backrefs & (1u << (this->m_pdata->get_id(i)-1)))))
if(((i > 0) && (i < std::numeric_limits<unsigned>::digits) && (this->m_backrefs & (1u << (i-1)))) || ((i > 10000) && (this->m_pdata->get_id(i) > 0) && (this->m_backrefs & (1u << (this->m_pdata->get_id(i)-1)))))
{
m_position = pc;
re_brace* pb = static_cast<re_brace*>(this->append_state(syntax_element_backref, sizeof(re_brace)));
@ -2596,7 +2596,7 @@ option_group_jump:
re_alt* alt = static_cast<re_alt*>(this->insert_state(expected_alt_point, syntax_element_alt, sizeof(re_alt)));
alt->alt.i = this->m_pdata->m_data.size() - this->getoffset(alt);
}
else if(this->getaddress(static_cast<re_alt*>(b)->alt.i, b)->type == syntax_element_alt)
else if(((std::ptrdiff_t)this->m_pdata->m_data.size() > static_cast<re_alt*>(b)->alt.i) && (static_cast<re_alt*>(b)->alt.i > 0) && this->getaddress(static_cast<re_alt*>(b)->alt.i, b)->type == syntax_element_alt)
{
// Can't have seen more than one alternative:
// Rewind to start of (? sequence: