From 881a1572434a5360ba235648f04a523b25d20406 Mon Sep 17 00:00:00 2001 From: jzmaddock Date: Sat, 7 Oct 2017 09:47:19 +0100 Subject: [PATCH] Regex: Fix integer overflow in expression parsing. See: https://oss-fuzz.com/v2/testcase-detail/6189682419302400?noredirect=1 --- include/boost/regex/v4/basic_regex_parser.hpp | 5 +++++ include/boost/regex/v4/regex_traits_defaults.hpp | 3 +++ 2 files changed, 8 insertions(+) diff --git a/include/boost/regex/v4/basic_regex_parser.hpp b/include/boost/regex/v4/basic_regex_parser.hpp index 4ab1670e..8889db7e 100644 --- a/include/boost/regex/v4/basic_regex_parser.hpp +++ b/include/boost/regex/v4/basic_regex_parser.hpp @@ -2070,6 +2070,11 @@ insert_recursion: fail(regex_constants::error_perl_extension, m_position - m_base, "An invalid or unterminated recursive sub-expression."); return false; } + if ((std::numeric_limits::max)() - m_mark_count < v) + { + fail(regex_constants::error_perl_extension, m_position - m_base, "An invalid or unterminated recursive sub-expression."); + return false; + } v += m_mark_count; goto insert_recursion; case regex_constants::syntax_dash: diff --git a/include/boost/regex/v4/regex_traits_defaults.hpp b/include/boost/regex/v4/regex_traits_defaults.hpp index d5107882..df9922df 100644 --- a/include/boost/regex/v4/regex_traits_defaults.hpp +++ b/include/boost/regex/v4/regex_traits_defaults.hpp @@ -307,6 +307,7 @@ template boost::intmax_t global_toi(const charT*& p1, const charT* p2, int radix, const traits& t) { (void)t; // warning suppression + boost::intmax_t limit = (std::numeric_limits::max)() / radix; boost::intmax_t next_value = t.value(*p1, radix); if((p1 == p2) || (next_value < 0) || (next_value >= radix)) return -1; @@ -319,6 +320,8 @@ boost::intmax_t global_toi(const charT*& p1, const charT* p2, int radix, const t result *= radix; result += next_value; ++p1; + if (result > limit) + return -1; } return result; }