]> git.kaiwu.me - njs.git/commitdiff
Fixed heap-buffer-overflow while parsing regexp literals.
authorDmitry Volyntsev <xeioex@nginx.com>
Mon, 26 Aug 2019 16:00:13 +0000 (19:00 +0300)
committerDmitry Volyntsev <xeioex@nginx.com>
Mon, 26 Aug 2019 16:00:13 +0000 (19:00 +0300)
This closes #174 issue on Github.

src/njs_regexp.c
src/test/njs_unit_test.c

index c488ce09f9fed642ffa54d9b1fa8da3c886edc1c..038cbfef59a0ae1a09e2bc9e540cc86a0419da89 100644 (file)
@@ -333,14 +333,22 @@ njs_regexp_literal(njs_vm_t *vm, njs_parser_t *parser, njs_value_t *value)
             goto failed;
 
         case '[':
-            while (++p < lexer->end && *p != ']') {
+            while (1) {
+                if (++p >= lexer->end) {
+                    goto failed;
+                }
+
+                if (*p == ']') {
+                    break;
+                }
+
                 switch (*p) {
                 case '\n':
                 case '\r':
                     goto failed;
 
                 case '\\':
-                    if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+                    if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                         goto failed;
                     }
 
@@ -351,7 +359,7 @@ njs_regexp_literal(njs_vm_t *vm, njs_parser_t *parser, njs_value_t *value)
             break;
 
         case '\\':
-            if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+            if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                 goto failed;
             }
 
index d920935093e6adec94af0a0c5f82feac42140fca..f61eb3f32d72f870146f4b099635def8af2a2c0f 100644 (file)
@@ -5877,9 +5877,18 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("/]/"),
       njs_str("/\\]/") },
 
+    { njs_str("/["),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
+
+    { njs_str("/[\\"),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
+
     { njs_str("RegExp(']')"),
       njs_str("/\\]/") },
 
+    { njs_str("RegExp('[\\\\')"),
+      njs_str("SyntaxError: pcre_compile(\"[\\\") failed: \\ at end of pattern") },
+
     { njs_str("RegExp('[\\\\\\\\]]')"),
       njs_str("/[\\\\]\\]/") },
 
@@ -7859,6 +7868,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("new RegExp('[')"),
       njs_str("SyntaxError: pcre_compile(\"[\") failed: missing terminating ] for character class") },
 
+    { njs_str("new RegExp('['.repeat(16))"),
+      njs_str("SyntaxError: pcre_compile(\"[[[[[[[[[[[[[[[[\") failed: missing terminating ] for character class") },
+
     { njs_str("new RegExp('\\\\')"),
       njs_str("SyntaxError: pcre_compile(\"\\\") failed: \\ at end of pattern") },