Merge pull request #246 from cmazakas/cve-42512790

fix integer overflow when parsing Perl-extended named backrefs
2025-03-04 19:27:22 +00:00 · 2025-03-03 10:51:42 -08:00 · 2025-02-28 12:58:02 +00:00 · 2025-02-20 14:53:42 -08:00 · 2025-01-28 09:27:11 +00:00
6 changed files with 93 additions and 1 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -10,6 +10,7 @@ on:
      - master
      - develop
      - feature/**
+      - cve-*
  pull_request:
  release:
    types: [published, created, edited]
--- a/include/boost/regex/v5/basic_regex_parser.hpp
+++ b/include/boost/regex/v5/basic_regex_parser.hpp
@ -898,6 +898,11 @@ escape_type_class_jump:
         }
         const charT* pc = m_position;
         std::intmax_t i = this->m_traits.toi(pc, m_end, 10);
+         if(i < 0 && !syn_end)
+         {
+            fail(regex_constants::error_backref, m_position - m_base);
+            return false;
+         }
         if((i < 0) && syn_end)
         {
            // Check for a named capture, get the leftmost one if there is more than one:
@ -997,7 +1002,7 @@ bool basic_regex_parser<charT, traits>::parse_repeat(std::size_t low, std::size_
      if((m_position != m_end)
         && (0 == (this->flags() & regbase::main_option_type)) 
         && (this->m_traits.syntax_type(*m_position) == regex_constants::syntax_plus))
-      {
+      { 
         possessive = true;
         ++m_position;
      }
@ -1114,6 +1119,13 @@ bool basic_regex_parser<charT, traits>::parse_repeat(std::size_t low, std::size_
                  else
                     contin = false;
                  break;
+               case regex_constants::syntax_hash:
+                  if (this->flags() & regex_constants::mod_x) {
+                     while((m_position != m_end) && !is_separator(*m_position++)){}
+                     contin = true;
+                     break;
+                  }
+                  BOOST_REGEX_FALLTHROUGH;
               default:
                  contin = false;
               }
--- a/include/boost/regex/v5/regbase.hpp
+++ b/include/boost/regex/v5/regbase.hpp
@ -19,6 +19,8 @@
 #ifndef BOOST_REGEX_V5_REGBASE_HPP
 #define BOOST_REGEX_V5_REGBASE_HPP

+#include <boost/regex/config.hpp>
+
 namespace boost{
 //
 // class regbase
--- a/test/Jamfile.v2
+++ b/test/Jamfile.v2
@ -137,6 +137,8 @@ compile test_windows_defs_4.cpp ;
 run issue153.cpp : : : "<toolset>msvc:<linkflags>-STACK:2097152" ;
 run issue227.cpp ;
 run issue232.cpp ;
+run issue244.cpp ;
+run issue245.cpp ;
 run lookbehind_recursion_stress_test.cpp ;
 run regex_replace_overflow.cpp ;

--- a/test/issue244.cpp
+++ b/test/issue244.cpp
@ -0,0 +1,21 @@
+#include <boost/regex.hpp>
+
+#include <string>
+
+#include "test_macros.hpp"
+
+int main()
+{
+   char const strdata1[] = "\x00t\x03.z%(?x:]*+\x0c#\\x0c\x0c\x0c+\x0c#\\x0c\x0c\x0c\x11\x0c\x0c\xff\xff\xfd*\xff\xff\xff\xff\xff\xff\xff\xff|\xff\xff\xfd*\xff\xff)*\x01\x03\x00\x00\x00\x03\xff\xff\xff\x00\x00\xff\xff\xff";
+   char const strdata2[] = "(?x:]*+#comment\n+)*";
+   
+   std::string str1(strdata1, strdata1 + sizeof(strdata1) - 1);
+   std::string str2(strdata2, strdata2 + sizeof(strdata2) - 1);
+
+   boost::match_results<std::string::const_iterator> what;
+   
+   BOOST_TEST_THROWS((boost::regex(str1)), boost::regex_error);
+   BOOST_TEST_THROWS((boost::regex(str2)), boost::regex_error);
+
+   return boost::report_errors();
+}
--- a/test/issue245.cpp
+++ b/test/issue245.cpp
@ -0,0 +1,54 @@
+#include <boost/regex.hpp>
+
+#include <vector>
+#include <string>
+
+#include "test_macros.hpp"
+
+
+int main()
+{
+   // invalid because \k-- is an unterminated token
+   {
+      char const strdata[] = "\\k--00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k-00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "a(b*)c\\k{--1}d";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "a(b*)c\\k-{-1}d";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{--00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{-00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k{00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+
+   return boost::report_errors();
+}
Author	SHA1	Message	Date
jzmaddock	f851a08050	Merge pull request #246 from cmazakas/cve-42512790 fix integer overflow when parsing Perl-extended named backrefs	2025-03-04 19:27:22 +00:00
Christian Mazakas	f0ae2d8f57	fix integer overflow when parsing Perl-extended named backrefs	2025-03-03 10:51:42 -08:00
jzmaddock	34b1c2f615	Merge pull request #245 from cmazakas/cve-42506269 fix cve issue 42506269	2025-02-28 12:58:02 +00:00
Christian Mazakas	187be72eb8	fix cve issue 42506269	2025-02-20 14:53:42 -08:00
jzmaddock	0b64ecef6c	Merge pull request #242 from boostorg/master-merge-2025-01-27 Master merge 2025 01 27	2025-01-28 09:27:11 +00:00