Welcome! Log In Create A New Profile

Advanced

[njs] Fixed heap-buffer-overflow while parsing regexp literals.

Dmitry Volyntsev
August 26, 2019 12:02PM
details: https://hg.nginx.org/njs/rev/12e9519e7eb4
branches:
changeset: 1143:12e9519e7eb4
user: Dmitry Volyntsev <xeioex@nginx.com>
date: Mon Aug 26 19:00:13 2019 +0300
description:
Fixed heap-buffer-overflow while parsing regexp literals.

This closes #174 issue on Github.

diffstat:

src/njs_regexp.c | 14 +++++++++++---
src/test/njs_unit_test.c | 12 ++++++++++++
2 files changed, 23 insertions(+), 3 deletions(-)

diffs (69 lines):

diff -r a3e8a7a51161 -r 12e9519e7eb4 src/njs_regexp.c
--- a/src/njs_regexp.c Fri Aug 23 20:00:40 2019 +0300
+++ b/src/njs_regexp.c Mon Aug 26 19:00:13 2019 +0300
@@ -333,14 +333,22 @@ njs_regexp_literal(njs_vm_t *vm, njs_par
goto failed;

case '[':
- while (++p < lexer->end && *p != ']') {
+ while (1) {
+ if (++p >= lexer->end) {
+ goto failed;
+ }
+
+ if (*p == ']') {
+ break;
+ }
+
switch (*p) {
case '\n':
case '\r':
goto failed;

case '\\':
- if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+ if (++p >= lexer->end || *p == '\n' || *p == '\r') {
goto failed;
}

@@ -351,7 +359,7 @@ njs_regexp_literal(njs_vm_t *vm, njs_par
break;

case '\\':
- if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+ if (++p >= lexer->end || *p == '\n' || *p == '\r') {
goto failed;
}

diff -r a3e8a7a51161 -r 12e9519e7eb4 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c Fri Aug 23 20:00:40 2019 +0300
+++ b/src/test/njs_unit_test.c Mon Aug 26 19:00:13 2019 +0300
@@ -5877,9 +5877,18 @@ static njs_unit_test_t njs_test[] =
{ njs_str("/]/"),
njs_str("/\\]/") },

+ { njs_str("/["),
+ njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
+
+ { njs_str("/[\\"),
+ njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
+
{ njs_str("RegExp(']')"),
njs_str("/\\]/") },

+ { njs_str("RegExp('[\\\\')"),
+ njs_str("SyntaxError: pcre_compile(\"[\\\") failed: \\ at end of pattern") },
+
{ njs_str("RegExp('[\\\\\\\\]]')"),
njs_str("/[\\\\]\\]/") },

@@ -7859,6 +7868,9 @@ static njs_unit_test_t njs_test[] =
{ njs_str("new RegExp('[')"),
njs_str("SyntaxError: pcre_compile(\"[\") failed: missing terminating ] for character class") },

+ { njs_str("new RegExp('['.repeat(16))"),
+ njs_str("SyntaxError: pcre_compile(\"[[[[[[[[[[[[[[[[\") failed: missing terminating ] for character class") },
+
{ njs_str("new RegExp('\\\\')"),
njs_str("SyntaxError: pcre_compile(\"\\\") failed: \\ at end of pattern") },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[njs] Fixed heap-buffer-overflow while parsing regexp literals.

Dmitry Volyntsev 107 August 26, 2019 12:02PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 51
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready