diff options
| author | Marshall Clow <mclow.lists@gmail.com> | 2017-10-19 17:39:16 +0000 |
|---|---|---|
| committer | Marshall Clow <mclow.lists@gmail.com> | 2017-10-19 17:39:16 +0000 |
| commit | 278c0ba4a689e669f1ecefa1cfc0709b980bc3ec (patch) | |
| tree | 1c1122c9db8cbf8889c06849a6dc46a9a4d0b3bc | |
| parent | 2ac694b611eb005d2b6b0292e6a0f0f51af0c052 (diff) | |
Fix UB - signed integer overflow in regex. Thanks to Tim Shen for the patch. Reviewed as https://reviews.llvm.org/D39066
git-svn-id: https://llvm.org/svn/llvm-project/libcxx/trunk@316172 91177308-0d34-0410-b5e6-96231b3b80d8
| -rw-r--r-- | include/regex | 2 | ||||
| -rw-r--r-- | test/std/re/re.grammar/excessive_brace_count.pass.cpp | 40 |
2 files changed, 42 insertions, 0 deletions
diff --git a/include/regex b/include/regex index bd7201204..80f958e0e 100644 --- a/include/regex +++ b/include/regex @@ -4064,6 +4064,8 @@ basic_regex<_CharT, _Traits>::__parse_DUP_COUNT(_ForwardIterator __first, __first != __last && ( __val = __traits_.value(*__first, 10)) != -1; ++__first) { + if (__c >= std::numeric_limits<int>::max() / 10) + __throw_regex_error<regex_constants::error_badbrace>(); __c *= 10; __c += __val; } diff --git a/test/std/re/re.grammar/excessive_brace_count.pass.cpp b/test/std/re/re.grammar/excessive_brace_count.pass.cpp new file mode 100644 index 000000000..7fe5f04f8 --- /dev/null +++ b/test/std/re/re.grammar/excessive_brace_count.pass.cpp @@ -0,0 +1,40 @@ +//===----------------------------------------------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is dual licensed under the MIT and the University of Illinois Open +// Source Licenses. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +// <regex> +// UNSUPPORTED: libcpp-no-exceptions +// UNSUPPORTED: c++03 + +// the "n" in `a{n}` should be within the numeric limits. + +#include <regex> +#include <cassert> + +int main() { + for (std::regex_constants::syntax_option_type op : + {std::regex::basic, std::regex::grep}) { + try { + (void)std::regex("a\\{100000000000000000\\}", op); + assert(false); + } catch (const std::regex_error &e) { + assert(e.code() == std::regex_constants::error_badbrace); + } + } + for (std::regex_constants::syntax_option_type op : + {std::regex::ECMAScript, std::regex::extended, std::regex::egrep, + std::regex::awk}) { + try { + (void)std::regex("a{100000000000000000}", op); + assert(false); + } catch (const std::regex_error &e) { + assert(e.code() == std::regex_constants::error_badbrace); + } + } + return 0; +} |