Merge pull request #246 from cmazakas/cve-42512790

fix integer overflow when parsing Perl-extended named backrefs
2025-06-25 03:51:31 +02:00 · 2025-03-04 19:27:22 +00:00
parent 34b1c2f615 f0ae2d8f57
commit f851a08050
3 changed files with 60 additions and 0 deletions
--- a/include/boost/regex/v5/basic_regex_parser.hpp
+++ b/include/boost/regex/v5/basic_regex_parser.hpp
@ -898,6 +898,11 @@ escape_type_class_jump:
         }
         const charT* pc = m_position;
         std::intmax_t i = this->m_traits.toi(pc, m_end, 10);
+         if(i < 0 && !syn_end)
+         {
+            fail(regex_constants::error_backref, m_position - m_base);
+            return false;
+         }
         if((i < 0) && syn_end)
         {
            // Check for a named capture, get the leftmost one if there is more than one:
--- a/test/Jamfile.v2
+++ b/test/Jamfile.v2
@ -138,6 +138,7 @@ run issue153.cpp : : : "<toolset>msvc:<linkflags>-STACK:2097152" ;
 run issue227.cpp ;
 run issue232.cpp ;
 run issue244.cpp ;
+run issue245.cpp ;
 run lookbehind_recursion_stress_test.cpp ;
 run regex_replace_overflow.cpp ;

--- a/test/issue245.cpp
+++ b/test/issue245.cpp
@ -0,0 +1,54 @@
+#include <boost/regex.hpp>
+
+#include <vector>
+#include <string>
+
+#include "test_macros.hpp"
+
+
+int main()
+{
+   // invalid because \k-- is an unterminated token
+   {
+      char const strdata[] = "\\k--00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k-00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "a(b*)c\\k{--1}d";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "a(b*)c\\k-{-1}d";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{--00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{-00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+
+   return boost::report_errors();
+}