feedc0de/boost_regex
1
0
Fork 0
forked from boostorg/regex
Code Pull Requests Activity

Regex: Fix integer overflow in expression parsing.

Browse Source 
See: https://oss-fuzz.com/v2/testcase-detail/6189682419302400?noredirect=1
This commit is contained in:
jzmaddock
2017-10-07 09:47:19 +01:00
parent 289ce86488
commit 881a157243
2 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
include/boost/regex/v4/basic_regex_parser.hpp
View File

@ -2070,6 +2070,11 @@ insert_recursion:
fail(regex_constants::error_perl_extension, m_position - m_base, "An invalid or unterminated recursive sub-expression.");
return false;
}
if ((std::numeric_limits<boost::intmax_t>::max)() - m_mark_count < v)
{
fail(regex_constants::error_perl_extension, m_position - m_base, "An invalid or unterminated recursive sub-expression.");
return false;
}
v += m_mark_count;
goto insert_recursion;
case regex_constants::syntax_dash:

3
include/boost/regex/v4/regex_traits_defaults.hpp
View File

@ -307,6 +307,7 @@ template <class charT, class traits>
boost::intmax_t global_toi(const charT*& p1, const charT* p2, int radix, const traits& t)
{
(void)t; // warning suppression
boost::intmax_t limit = (std::numeric_limits<boost::intmax_t>::max)() / radix;
boost::intmax_t next_value = t.value(*p1, radix);
if((p1 == p2) || (next_value < 0) || (next_value >= radix))
return -1;
@ -319,6 +320,8 @@ boost::intmax_t global_toi(const charT*& p1, const charT* p2, int radix, const t
result *= radix;
result += next_value;
++p1;
if (result > limit)
return -1;
}
return result;
}