From 94cc103b8cfcfb040b5aad121d7fbd928f6a1336 Mon Sep 17 00:00:00 2001
From: Daniel Veillard <veillard@src.gnome.org>
Date: Thu, 15 Sep 2005 13:09:00 +0000
Subject: [PATCH] detect combinatory explosion and return with a runtime error
 in those

* xmlregexp.c: detect combinatory explosion and return with
  a runtime error in those case, c.f. #316338 though maybe we
  should not see such an explosion with that specific regexp,
  more checking needs to be done.
Daniel
---
 ChangeLog   |  7 +++++++
 xmlregexp.c | 16 +++++++++++++++-
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index a6ce1bde..367a9873 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+Thu Sep 15 15:08:21 CEST 2005 Daniel Veillard <daniel@veillard.com>
+
+	* xmlregexp.c: detect combinatory explosion and return with
+	  a runtime error in those case, c.f. #316338 though maybe we
+	  should not see such an explosion with that specific regexp,
+	  more checking needs to be done.
+
 Wed Sep 14 19:52:18 CEST 2005 Kasimier Buchcik <libxml2-cvs@cazic.net>
 
 	* include/libxml/schemasInternals.h: Added some comments for the
diff --git a/xmlregexp.c b/xmlregexp.c
index 45b917b9..9d479217 100644
--- a/xmlregexp.c
+++ b/xmlregexp.c
@@ -42,6 +42,8 @@
 /* #define DEBUG_PUSH */
 /* #define DEBUG_COMPACTION */
 
+#define MAX_PUSH 100000
+
 #define ERROR(str)							\
     ctxt->error = XML_REGEXP_COMPILE_ERROR;				\
     xmlRegexpErrCompile(ctxt, str);
@@ -326,6 +328,7 @@ struct _xmlRegExecCtxt {
     xmlRegStatePtr errState;    /* the error state */
     xmlChar *errString;		/* the string raising the error */
     int *errCounts;		/* counters at the error state */
+    int nbPush;
 };
 
 #define REGEXP_ALL_COUNTER	0x123456
@@ -2336,6 +2339,12 @@ xmlFARegExecSave(xmlRegExecCtxtPtr exec) {
     xmlFARegDebugExec(exec);
     exec->transno--;
 #endif
+#ifdef MAX_PUSH
+    if (exec->nbPush > MAX_PUSH) {
+        return;
+    }
+    exec->nbPush++;
+#endif
 
     if (exec->maxRollbacks == 0) {
 	exec->maxRollbacks = 4;
@@ -2426,6 +2435,7 @@ xmlFARegExec(xmlRegexpPtr comp, const xmlChar *content) {
 
     exec->inputString = content;
     exec->index = 0;
+    exec->nbPush = 0;
     exec->determinist = 1;
     exec->maxRollbacks = 0;
     exec->nbRollbacks = 0;
@@ -2632,8 +2642,11 @@ progress:
 	xmlFree(exec->counts);
     if (exec->status == 0)
 	return(1);
-    if (exec->status == -1)
+    if (exec->status == -1) {
+	if (exec->nbPush > MAX_PUSH)
+	    return(-1);
 	return(0);
+    }
     return(exec->status);
 }
 
@@ -2708,6 +2721,7 @@ xmlRegNewExecCtxt(xmlRegexpPtr comp, xmlRegExecCallbacks callback, void *data) {
     exec->inputStack = NULL;
     exec->errStateNo = -1;
     exec->errString = NULL;
+    exec->nbPush = 0;
     return(exec);
 }