RGBCube/serenity
1
Fork 0
mirror of https://github.com/RGBCube/serenity synced 2025-07-25 20:57:35 +00:00
Code Issues Activity Actions

LibRegex: Limit the number of nested capture groups allowed in BRE

Browse source 
Found by OSS-Fuzz: https://oss-fuzz.com/testcase?key=4869334212673536
This commit is contained in:
Ali Mohammad Pur 2021-08-30 23:24:46 +04:30 committed by Andreas Kling
parent c171aa40a8
commit 05c65f9b5d
2 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Userland/Libraries/LibRegex/RegexParser.cpp
View file

@ -12,6 +12,7 @@
#include <AK/String.h>
#include <AK/StringBuilder.h>
#include <AK/StringUtils.h>
#include <AK/TemporaryChange.h>
#include <AK/Utf16View.h>
#include <LibUnicode/CharacterTypes.h>
@ -460,6 +461,11 @@ bool PosixBasicParser::parse_nonduplicating_re(ByteCode& bytecode, size_t& match
{
// nondupl_RE : one_char_or_coll_elem_RE | Back_open_paren RE_expression Back_close_paren | BACKREF
if (try_skip("\\(")) {
TemporaryChange change { m_current_capture_group_depth, m_current_capture_group_depth + 1 };
// Max number of addressable capture groups is 10, let's just be lenient
// and accept 20; anything past that is probably a silly pattern anyway.
if (m_current_capture_group_depth > 20)
return set_error(Error::InvalidPattern);
ByteCode capture_bytecode;
size_t capture_length_minimum = 0;
auto capture_group_index = ++m_parser_state.capture_groups_count;