[libxml2] Limit regexp nesting depth

From: Nick Wellnhofer <nwellnhof src gnome org>
To: commits-list gnome org
Cc:
Subject: [libxml2] Limit regexp nesting depth
Date: Mon, 6 Jul 2020 13:32:40 +0000 (UTC)

commit fc842f6eba81f3b630e1ff1ffea69c6f4dd66ccc
Author: Nick Wellnhofer <wellnhofer aevum de>
Date:   Mon Jul 6 15:22:12 2020 +0200

    Limit regexp nesting depth
    
    Enforce a maximum nesting depth of 50 for regular expressions. Avoids
    stack overflows with deeply nested regexes.
    
    Found by OSS-Fuzz.

 xmlregexp.c | 8 ++++++++
 1 file changed, 8 insertions(+)
---
diff --git a/xmlregexp.c b/xmlregexp.c
index 687290e2..dbf3bf2c 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -273,6 +273,8 @@ struct _xmlAutomata {
     int determinist;
     int negs;
     int flags;
+
+    int depth;
 };
 
 struct _xmlRegexp {
@@ -5330,6 +5332,10 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
        xmlRegStatePtr start, oldend, start0;
 
        NEXT;
+        if (ctxt->depth >= 50) {
+           ERROR("xmlFAParseAtom: maximum nesting depth exceeded");
+            return(-1);
+        }
        /*
         * this extra Epsilon transition is needed if we count with 0 allowed
         * unfortunately this can't be known at that point
@@ -5341,7 +5347,9 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
        oldend = ctxt->end;
        ctxt->end = NULL;
        ctxt->atom = NULL;
+        ctxt->depth++;
        xmlFAParseRegExp(ctxt, 0);
+        ctxt->depth--;
        if (CUR == ')') {
            NEXT;
        } else {

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]