Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Commit3bb3f42

Browse files
committed
Fix some regex issues with out-of-range characters and large char ranges.
Previously, our regex code defined CHR_MAX as 0xfffffffe, which is abad choice because it is outside the range of type "celt" (int32).Characters approaching that limit could lead to infinite loops in logicsuch as "for (c = a; c <= b; c++)" where c is of type celt but therange bounds are chr. Such loops will work safely only if CHR_MAX+1is representable in celt, since c must advance to beyond b before theloop will exit.Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.It's highly unlikely that Unicode will ever assign codes that high, andnone of our other backend encodings need characters beyond that either.In addition to modifying the macro, we have to explicitly enforce characterrange restrictions on the values of \u, \U, and \x escape sequences, elsethe limit is trivially bypassed.Also, the code for expanding case-independent character ranges in bracketexpressions had a potential integer overflow in its calculation of thenumber of characters it could generate, which could lead to allocating toosmall a character vector and then overwriting memory. An attacker with theability to supply arbitrary regex patterns could easily cause transient DOSvia server crashes, and the possibility for privilege escalation has notbeen ruled out.Quite aside from the integer-overflow problem, the range expansion code wasunnecessarily inefficient in that it always produced a result consisting ofindividual characters, abandoning the knowledge that we had a range tostart with. If the input range is large, this requires excessive memory.Change it so that the original range is reported as-is, and then we add onany case-equivalent characters that are outside that range. With thisapproach, we can bound the number of individual characters allowed withoutsacrificing much. This patch allows at most 100000 individual characters,which I believe to be more than the number of case pairs existing inUnicode, so that the restriction will never be hit in practice.It's still possible for range() to take awhile given a large character coderange, so also add statement-cancel detection to its loop. The downstreamfunction dovec() also lacked cancel detection, and could take a long timegiven a large output from range().Per fuzz testing by Greg Stark. Back-patch to all supported branches.Security:CVE-2016-0773
1 parentf8a1c1d commit3bb3f42

File tree

6 files changed

+53
-18
lines changed

6 files changed

+53
-18
lines changed

‎src/backend/regex/regc_lex.c

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -813,13 +813,13 @@ lexescape(struct vars * v)
813813
break;
814814
caseCHR('u'):
815815
c=lexdigits(v,16,4,4);
816-
if (ISERR())
816+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
817817
FAILW(REG_EESCAPE);
818818
RETV(PLAIN,c);
819819
break;
820820
caseCHR('U'):
821821
c=lexdigits(v,16,8,8);
822-
if (ISERR())
822+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
823823
FAILW(REG_EESCAPE);
824824
RETV(PLAIN,c);
825825
break;
@@ -837,7 +837,7 @@ lexescape(struct vars * v)
837837
caseCHR('x'):
838838
NOTE(REG_UUNPORT);
839839
c=lexdigits(v,16,1,255);/* REs >255 long outside spec */
840-
if (ISERR())
840+
if (ISERR()||c<CHR_MIN||c>CHR_MAX)
841841
FAILW(REG_EESCAPE);
842842
RETV(PLAIN,c);
843843
break;
@@ -899,6 +899,9 @@ lexescape(struct vars * v)
899899

900900
/*
901901
* lexdigits - slurp up digits and return chr value
902+
*
903+
* This does not account for overflow; callers should range-check the result
904+
* if maxlen is large enough to make that possible.
902905
*/
903906
staticchr/* chr value; errors signalled via ERR */
904907
lexdigits(structvars*v,

‎src/backend/regex/regc_locale.c

Lines changed: 40 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -408,8 +408,7 @@ range(struct vars * v,/* context */
408408
intnchrs;
409409
structcvec*cv;
410410
celtc,
411-
lc,
412-
uc;
411+
cc;
413412

414413
if (a!=b&& !before(a,b))
415414
{
@@ -427,24 +426,51 @@ range(struct vars * v,/* context */
427426

428427
/*
429428
* When case-independent, it's hard to decide when cvec ranges are usable,
430-
* so for now at least, we won't try. We allocate enough space for two
431-
* case variants plus a little extra for the two title case variants.
429+
* so for now at least, we won't try. We use a range for the originally
430+
* specified chrs and then add on any case-equivalents that are outside
431+
* that range as individual chrs.
432+
*
433+
* To ensure sane behavior if someone specifies a very large range, limit
434+
* the allocation size to 100000 chrs (arbitrary) and check for overrun
435+
* inside the loop below.
432436
*/
437+
nchrs=b-a+1;
438+
if (nchrs <=0||nchrs>100000)
439+
nchrs=100000;
433440

434-
nchrs= (b-a+1)*2+4;
435-
436-
cv=getcvec(v,nchrs,0);
441+
cv=getcvec(v,nchrs,1);
437442
NOERRN();
443+
addrange(cv,a,b);
438444

439445
for (c=a;c <=b;c++)
440446
{
441-
addchr(cv,c);
442-
lc=pg_wc_tolower((chr)c);
443-
if (c!=lc)
444-
addchr(cv,lc);
445-
uc=pg_wc_toupper((chr)c);
446-
if (c!=uc)
447-
addchr(cv,uc);
447+
cc=pg_wc_tolower((chr)c);
448+
if (cc!=c&&
449+
(before(cc,a)||before(b,cc)))
450+
{
451+
if (cv->nchrs >=cv->chrspace)
452+
{
453+
ERR(REG_ETOOBIG);
454+
returnNULL;
455+
}
456+
addchr(cv,cc);
457+
}
458+
cc=pg_wc_toupper((chr)c);
459+
if (cc!=c&&
460+
(before(cc,a)||before(b,cc)))
461+
{
462+
if (cv->nchrs >=cv->chrspace)
463+
{
464+
ERR(REG_ETOOBIG);
465+
returnNULL;
466+
}
467+
addchr(cv,cc);
468+
}
469+
if (CANCEL_REQUESTED(v->re))
470+
{
471+
ERR(REG_CANCEL);
472+
returnNULL;
473+
}
448474
}
449475

450476
returncv;

‎src/backend/regex/regcomp.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1593,6 +1593,7 @@ dovec(struct vars * v,
15931593
{
15941594
ch=*p;
15951595
newarc(v->nfa,PLAIN,subcolor(v->cm,ch),lp,rp);
1596+
NOERR();
15961597
}
15971598

15981599
/* and the ranges */
@@ -1602,6 +1603,7 @@ dovec(struct vars * v,
16021603
to=*(p+1);
16031604
if (from <=to)
16041605
subrange(v,from,to,lp,rp);
1606+
NOERR();
16051607
}
16061608
}
16071609

‎src/include/regex/regcustom.h

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,8 @@ typedef int celt;/* type to hold chr, or NOCELT */
6565
#defineDIGITVAL(c) ((c)-'0')/* turn chr digit into its value */
6666
#defineCHRBITS 32/* bits in a chr; must not use sizeof */
6767
#defineCHR_MIN 0x00000000/* smallest and largest chr; the value */
68-
#defineCHR_MAX 0xfffffffe/* CHR_MAX-CHR_MIN+1 should fit in uchr */
68+
#defineCHR_MAX 0x7ffffffe/* CHR_MAX-CHR_MIN+1 must fit in an int, and
69+
* CHR_MAX+1 must fit in both chr and celt */
6970

7071
/* functions operating on chr */
7172
#defineiscalnum(x) pg_wc_isalnum(x)

‎src/test/regress/expected/regex.out

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -495,3 +495,5 @@ select 'xyz' ~ 'x(\w)(?=\1)'; -- no backrefs in LACONs
495495
ERROR: invalid regular expression: invalid backreference number
496496
select 'xyz' ~ 'x(\w)(?=(\1))';
497497
ERROR: invalid regular expression: invalid backreference number
498+
select 'a' ~ '\x7fffffff'; -- invalid chr code
499+
ERROR: invalid regular expression: invalid escape \ sequence

‎src/test/regress/sql/regex.sql

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -121,3 +121,4 @@ select 'a' ~ '()+\1';
121121
-- Error conditions
122122
select'xyz' ~'x(\w)(?=\1)';-- no backrefs in LACONs
123123
select'xyz' ~'x(\w)(?=(\1))';
124+
select'a' ~'\x7fffffff';-- invalid chr code

0 commit comments

Comments
 (0)
[8]ページ先頭
©2009-2025 Movatter.jp