- Notifications
You must be signed in to change notification settings - Fork5
Commit48789c5
committed
Fix regular-expression compiler to handle loops of constraint arcs.
It's possible to construct regular expressions that contain loops ofconstraint arcs (that is, ^ $ AHEAD BEHIND or LACON arcs). There's no usein fully traversing such a loop at execution, since you'd just end up inthe same NFA state without having consumed any input. Worse, such a loopleads to infinite looping in the pullback/pushfwd stage of compilation,because we keep pushing or pulling the same constraints around the loopin a vain attempt to move them to the pre or post state. Such looping waspreviously recognized inCVE-2007-4772; but the fix only handled the caseof trivial single-state loops (that is, a constraint arc leading back toits source state) ... and not only that, it was incorrect even for thatcase, because it broke the admittedly-not-very-clearly-stated API contractof the pull() and push() subroutines. The first two regression test casesadded by this commit exhibit patterns that result in assertion failuresbecause of that (though there seem to be no ill effects in non-assertbuilds). The other new test cases exhibit multi-state constraint loops;in an unpatched build they will run until the NFA state-count limit isexceeded.To fix, remove the code added forCVE-2007-4772, and instead create ageneral-purpose constraint-loop-breaking phase of regex compilation thatexecutes before we do pullback/pushfwd. Since we never need to traversea constraint loop fully, we can just break the loop at any chosen spot,if we add clone states that can replicate any sequence of arc transitionsthat would've traversed just part of the loop.Also add some commentary clarifying why we have to have all thesemachinations in the first place.This class of problems has been known for some time --- we had a reportfrom Marc Mamin about two years ago, for example, and there are relatedcomplaints in the Tcl bug tracker. I had discussed a fix of this kindoff-list with Henry Spencer, but didn't get around to doing somethingabout it until the issue was rediscovered by Greg Stark recently.Back-patch to all supported branches.1 parentd53e3d5 commit48789c5
File tree
4 files changed
+713
-58
lines changed- src
- backend/regex
- test/regress
- expected
- sql
4 files changed
+713
-58
lines changed0 commit comments
Comments
(0)