Skip to content

Commit f0ae2d8

Browse files
cmazakascmazakas
committed
fix integer overflow when parsing Perl-extended named backrefs
1 parent 34b1c2f commit f0ae2d8

File tree

3 files changed

+60
-0
lines changed

3 files changed

+60
-0
lines changed

include/boost/regex/v5/basic_regex_parser.hpp

+5
Original file line numberDiff line numberDiff line change
@@ -898,6 +898,11 @@ bool basic_regex_parser<charT, traits>::parse_extended_escape()
898898
}
899899
const charT* pc = m_position;
900900
std::intmax_t i = this->m_traits.toi(pc, m_end, 10);
901+
if(i < 0 && !syn_end)
902+
{
903+
fail(regex_constants::error_backref, m_position - m_base);
904+
return false;
905+
}
901906
if((i < 0) && syn_end)
902907
{
903908
// Check for a named capture, get the leftmost one if there is more than one:

test/Jamfile.v2

+1
Original file line numberDiff line numberDiff line change
@@ -138,6 +138,7 @@ run issue153.cpp : : : "<toolset>msvc:<linkflags>-STACK:2097152" ;
138138
run issue227.cpp ;
139139
run issue232.cpp ;
140140
run issue244.cpp ;
141+
run issue245.cpp ;
141142
run lookbehind_recursion_stress_test.cpp ;
142143
run regex_replace_overflow.cpp ;
143144

test/issue245.cpp

+54
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,54 @@
1+
#include <boost/regex.hpp>
2+
3+
#include <vector>
4+
#include <string>
5+
6+
#include "test_macros.hpp"
7+
8+
9+
int main()
10+
{
11+
// invalid because \k-- is an unterminated token
12+
{
13+
char const strdata[] = "\\k--00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
14+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
15+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
16+
}
17+
{
18+
char const strdata[] = "\\k-00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
19+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
20+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
21+
}
22+
{
23+
char const strdata[] = "\\k00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
24+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
25+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
26+
}
27+
{
28+
char const strdata[] = "a(b*)c\\k{--1}d";
29+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
30+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
31+
}
32+
{
33+
char const strdata[] = "a(b*)c\\k-{-1}d";
34+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
35+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
36+
}
37+
{
38+
char const strdata[] = "\\k{--00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
39+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
40+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
41+
}
42+
{
43+
char const strdata[] = "\\k{-00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
44+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
45+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
46+
}
47+
{
48+
char const strdata[] = "\\k{00000000000000000000000000000000000000000000000000000000009223372036854775807}\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
49+
std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
50+
BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
51+
}
52+
53+
return boost::report_errors();
54+
}

0 commit comments

Comments
 (0)