[libxml2] Limit regexp nesting depth
- From: Nick Wellnhofer <nwellnhof src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [libxml2] Limit regexp nesting depth
- Date: Mon, 6 Jul 2020 13:32:40 +0000 (UTC)
commit fc842f6eba81f3b630e1ff1ffea69c6f4dd66ccc
Author: Nick Wellnhofer <wellnhofer aevum de>
Date: Mon Jul 6 15:22:12 2020 +0200
Limit regexp nesting depth
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
stack overflows with deeply nested regexes.
Found by OSS-Fuzz.
xmlregexp.c | 8 ++++++++
1 file changed, 8 insertions(+)
---
diff --git a/xmlregexp.c b/xmlregexp.c
index 687290e2..dbf3bf2c 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -273,6 +273,8 @@ struct _xmlAutomata {
int determinist;
int negs;
int flags;
+
+ int depth;
};
struct _xmlRegexp {
@@ -5330,6 +5332,10 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
xmlRegStatePtr start, oldend, start0;
NEXT;
+ if (ctxt->depth >= 50) {
+ ERROR("xmlFAParseAtom: maximum nesting depth exceeded");
+ return(-1);
+ }
/*
* this extra Epsilon transition is needed if we count with 0 allowed
* unfortunately this can't be known at that point
@@ -5341,7 +5347,9 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
oldend = ctxt->end;
ctxt->end = NULL;
ctxt->atom = NULL;
+ ctxt->depth++;
xmlFAParseRegExp(ctxt, 0);
+ ctxt->depth--;
if (CUR == ')') {
NEXT;
} else {
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]