diff options
| author | Jonathan Wakely <jwakely@redhat.com> | 2022-08-22 15:16:16 +0100 |
|---|---|---|
| committer | Jonathan Wakely <jwakely@redhat.com> | 2023-06-23 13:37:05 +0100 |
| commit | fab3692a2cf961b7364d7f77dd976ba0e4f752b7 (patch) | |
| tree | f12e0816d8ce5deac4d7f59d6dd8ee8cac693ac9 | |
| parent | 596aa947770806d93395d190de3b1d7e14391a21 (diff) | |
libstdc++: Check for overflow in regex back-reference [PR106607]
Currently we fail to notice integer overflow when parsing a
back-reference expression, or when converting the parsed result from
long to int. This changes the result to be int, so no conversion is
needed, and uses the overflow-checking built-ins to detect an
out-of-range back-reference.
libstdc++-v3/ChangeLog:
PR libstdc++/106607
* include/bits/regex_compiler.tcc (_Compiler::_M_cur_int_value):
Use built-ins to check for integer overflow in back-reference
number.
* testsuite/28_regex/basic_regex/106607.cc: New test.
(cherry picked from commit 1b09eea33f2bf9d1eae73b25cc25efb05ea1dc3f)
| -rw-r--r-- | libstdc++-v3/include/bits/regex_compiler.tcc | 10 | ||||
| -rw-r--r-- | libstdc++-v3/testsuite/28_regex/basic_regex/106607.cc | 25 |
2 files changed, 31 insertions, 4 deletions
diff --git a/libstdc++-v3/include/bits/regex_compiler.tcc b/libstdc++-v3/include/bits/regex_compiler.tcc index da71af90b95..762d0e19f5f 100644 --- a/libstdc++-v3/include/bits/regex_compiler.tcc +++ b/libstdc++-v3/include/bits/regex_compiler.tcc @@ -588,10 +588,12 @@ namespace __detail _Compiler<_TraitsT>:: _M_cur_int_value(int __radix) { - long __v = 0; - for (typename _StringT::size_type __i = 0; - __i < _M_value.length(); ++__i) - __v =__v * __radix + _M_traits.value(_M_value[__i], __radix); + int __v = 0; + for (_CharT __c : _M_value) + if (__builtin_mul_overflow(__v, __radix, &__v) + || __builtin_add_overflow(__v, _M_traits.value(__c, __radix), &__v)) + std::__throw_regex_error(regex_constants::error_backref, + "invalid back reference"); return __v; } diff --git a/libstdc++-v3/testsuite/28_regex/basic_regex/106607.cc b/libstdc++-v3/testsuite/28_regex/basic_regex/106607.cc new file mode 100644 index 00000000000..f8e7fb2364d --- /dev/null +++ b/libstdc++-v3/testsuite/28_regex/basic_regex/106607.cc @@ -0,0 +1,25 @@ +// { dg-do run { target c++11 } } + +#include <regex> +#include <string> +#include <climits> +#include <testsuite_hooks.h> + +// PR libstdc++/106607 - Regex integer overflow on large backreference value + +int main() +{ + std::regex r("(.)\\1"); // OK + + try + { + long long n = (unsigned)-1 + 2LL; // 4294967297 for 32-bit int + VERIFY( (int)n == 1 ); // 4294967297 % 2^32 == 1 + std::regex r("(.)\\" + std::to_string(n)); // Invalid back reference. + VERIFY(false); + } + catch (const std::regex_error& e) + { + VERIFY( e.code() == std::regex_constants::error_backref ); + } +} |