51 lines
1.3 KiB
Diff
51 lines
1.3 KiB
Diff
From fc842f6eba81f3b630e1ff1ffea69c6f4dd66ccc Mon Sep 17 00:00:00 2001
|
|
From: Nick Wellnhofer <wellnhofer@aevum.de>
|
|
Date: Mon, 6 Jul 2020 15:22:12 +0200
|
|
Subject: [PATCH] Limit regexp nesting depth
|
|
|
|
Enforce a maximum nesting depth of 50 for regular expressions. Avoids
|
|
stack overflows with deeply nested regexes.
|
|
|
|
Found by OSS-Fuzz.
|
|
---
|
|
xmlregexp.c | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/xmlregexp.c b/xmlregexp.c
|
|
index 687290e2..dbf3bf2c 100644
|
|
--- a/xmlregexp.c
|
|
+++ b/xmlregexp.c
|
|
@@ -273,6 +273,8 @@ struct _xmlAutomata {
|
|
int determinist;
|
|
int negs;
|
|
int flags;
|
|
+
|
|
+ int depth;
|
|
};
|
|
|
|
struct _xmlRegexp {
|
|
@@ -5330,6 +5332,10 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
|
|
xmlRegStatePtr start, oldend, start0;
|
|
|
|
NEXT;
|
|
+ if (ctxt->depth >= 50) {
|
|
+ ERROR("xmlFAParseAtom: maximum nesting depth exceeded");
|
|
+ return(-1);
|
|
+ }
|
|
/*
|
|
* this extra Epsilon transition is needed if we count with 0 allowed
|
|
* unfortunately this can't be known at that point
|
|
@@ -5341,7 +5347,9 @@ xmlFAParseAtom(xmlRegParserCtxtPtr ctxt) {
|
|
oldend = ctxt->end;
|
|
ctxt->end = NULL;
|
|
ctxt->atom = NULL;
|
|
+ ctxt->depth++;
|
|
xmlFAParseRegExp(ctxt, 0);
|
|
+ ctxt->depth--;
|
|
if (CUR == ')') {
|
|
NEXT;
|
|
} else {
|
|
--
|
|
2.23.0
|
|
|