lib/libxml2
1
0
Fork 0
mirror of https://gitlab.gnome.org/GNOME/libxml2.git synced 2025-08-05 19:35:54 +03:00
Code Activity

Limit regexp nesting depth

Browse Source 
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
stack overflows with deeply nested regexes.

Found by OSS-Fuzz.
This commit is contained in:
Nick Wellnhofer
2020-07-06 15:22:12 +02:00
parent 1e41e4fa8e
commit fc842f6eba
1 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
xmlregexp.c
View File

@@ -273,6 +273,8 @@ struct _xmlAutomata {
int determinist; int determinist;
int negs; int negs;
int flags; int flags;
int depth;
}; };
struct _xmlRegexp { struct _xmlRegexp {
@@ -5330,6 +5332,10 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
xmlRegStatePtr start, oldend, start0; xmlRegStatePtr start, oldend, start0;
NEXT; NEXT;
if (ctxt->depth >= 50) {
ERROR("xmlFAParseAtom: maximum nesting depth exceeded");
return(-1);
}
/* /*
* this extra Epsilon transition is needed if we count with 0 allowed * this extra Epsilon transition is needed if we count with 0 allowed
* unfortunately this can't be known at that point * unfortunately this can't be known at that point
@@ -5341,7 +5347,9 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
oldend = ctxt->end; oldend = ctxt->end;
ctxt->end = NULL; ctxt->end = NULL;
ctxt->atom = NULL; ctxt->atom = NULL;
ctxt->depth++;
xmlFAParseRegExp(ctxt, 0); xmlFAParseRegExp(ctxt, 0);
ctxt->depth--;
if (CUR == ')') { if (CUR == ')') {
NEXT; NEXT;
} else { } else {