diff options
-rw-r--r-- | include/regex | 16 | ||||
-rw-r--r-- | test/std/re/re.regex/re.regex.construct/bad_backref.pass.cpp | 1 |
2 files changed, 12 insertions, 5 deletions
diff --git a/include/regex b/include/regex index 80f958e0e..79813529d 100644 --- a/include/regex +++ b/include/regex @@ -4327,8 +4327,12 @@ basic_regex<_CharT, _Traits>::__parse_decimal_escape(_ForwardIterator __first, unsigned __v = *__first - '0'; for (++__first; __first != __last && '0' <= *__first && *__first <= '9'; ++__first) + { + if (__v >= std::numeric_limits<unsigned>::max() / 10) + __throw_regex_error<regex_constants::error_backref>(); __v = 10 * __v + *__first - '0'; - if (__v > mark_count()) + } + if (__v == 0 || __v > mark_count()) __throw_regex_error<regex_constants::error_backref>(); __push_back_ref(__v); } @@ -5455,15 +5459,17 @@ match_results<_BidirectionalIterator, _Allocator>::format(_OutputIter __output, if ('0' <= __fmt_first[1] && __fmt_first[1] <= '9') { ++__fmt_first; - size_t __i = *__fmt_first - '0'; + size_t __idx = *__fmt_first - '0'; if (__fmt_first + 1 != __fmt_last && '0' <= __fmt_first[1] && __fmt_first[1] <= '9') { ++__fmt_first; - __i = 10 * __i + *__fmt_first - '0'; + if (__idx >= std::numeric_limits<size_t>::max() / 10) + __throw_regex_error<regex_constants::error_escape>(); + __idx = 10 * __idx + *__fmt_first - '0'; } - __output = _VSTD::copy((*this)[__i].first, - (*this)[__i].second, __output); + __output = _VSTD::copy((*this)[__idx].first, + (*this)[__idx].second, __output); } else { diff --git a/test/std/re/re.regex/re.regex.construct/bad_backref.pass.cpp b/test/std/re/re.regex/re.regex.construct/bad_backref.pass.cpp index e66d3e976..8e886cd8d 100644 --- a/test/std/re/re.regex/re.regex.construct/bad_backref.pass.cpp +++ b/test/std/re/re.regex/re.regex.construct/bad_backref.pass.cpp @@ -34,6 +34,7 @@ int main() { assert(error_badbackref_thrown("\\1abc")); // no references assert(error_badbackref_thrown("ab(c)\\2def")); // only one reference + assert(error_badbackref_thrown("\\800000000000000000000000000000")); // overflows // this should NOT throw, because we only should look at the '1' // See https://bugs.llvm.org/show_bug.cgi?id=31387 |