Mercurial > jwe > octave
changeset 31119:5cf18ef0377c stable
regexp: Check pattern length before accessing it (bug #62704).
* liboctave/util/lo-regexp.cc (regexp::compile_internal): Check string length
before accessing character at position.
* libinterp/corefcn/regexp.cc (Fregexp): Add test.
author | Markus Mützel <markus.muetzel@gmx.de> |
---|---|
date | Mon, 04 Jul 2022 20:36:01 +0200 |
parents | 7060de0b45e5 |
children | d8d90ba892b0 65c4d98352d3 |
files | libinterp/corefcn/regexp.cc liboctave/util/lo-regexp.cc |
diffstat | 2 files changed, 8 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/libinterp/corefcn/regexp.cc Wed Jun 29 19:07:19 2022 +0200 +++ b/libinterp/corefcn/regexp.cc Mon Jul 04 20:36:01 2022 +0200 @@ -912,6 +912,7 @@ ## segfault test %!assert (regexp ("abcde", "."), [1,2,3,4,5]) +%!assert <*62704> (regexpi('(', '\(?'), 1) ## Infinite loop test %!assert (isempty (regexp ("abcde", "")))
--- a/liboctave/util/lo-regexp.cc Wed Jun 29 19:07:19 2022 +0200 +++ b/liboctave/util/lo-regexp.cc Mon Jul 04 20:36:01 2022 +0200 @@ -83,9 +83,11 @@ while ((new_pos = m_pattern.find ("(?", pos)) != std::string::npos) { - if (m_pattern.at (new_pos + 2) == '<' - && !(m_pattern.at (new_pos + 3) == '=' - || m_pattern.at (new_pos + 3) == '!')) + if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<' + && ! (m_pattern.size () > new_pos + 3 + && (m_pattern.at (new_pos + 3) == '=' + || m_pattern.at (new_pos + 3) == '!'))) { // The syntax of named tokens in pcre is "(?P<name>...)" while // we need a syntax "(?<name>...)", so fix that here. Also an @@ -137,7 +139,8 @@ pos = tmp_pos; } - else if (m_pattern.at (new_pos + 2) == '<') + else if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<') { // Find lookbehind operators of arbitrary length (ie like // "(?<=[a-z]*)") and replace with a maximum length operator