[libcxx] r316172 - Fix UB - signed integer overflow in regex. Thanks to Tim Shen for the patch. Reviewed as https://reviews.llvm.org/D39066

Marshall Clow via cfe-commits cfe-commits at lists.llvm.org
Thu Oct 19 10:39:16 PDT 2017 

Author: marshall
Date: Thu Oct 19 10:39:16 2017
New Revision: 316172

URL: http://llvm.org/viewvc/llvm-project?rev=316172&view=rev
Log:
Fix UB - signed integer overflow in regex. Thanks to Tim Shen for the patch. Reviewed as https://reviews.llvm.org/D39066

Added:
    libcxx/trunk/test/std/re/re.grammar/excessive_brace_count.pass.cpp
Modified:
    libcxx/trunk/include/regex

Modified: libcxx/trunk/include/regex
URL: http://llvm.org/viewvc/llvm-project/libcxx/trunk/include/regex?rev=316172&r1=316171&r2=316172&view=diff
==============================================================================
--- libcxx/trunk/include/regex (original)
+++ libcxx/trunk/include/regex Thu Oct 19 10:39:16 2017
@@ -4064,6 +4064,8 @@ basic_regex<_CharT, _Traits>::__parse_DU
                  __first != __last && ( __val = __traits_.value(*__first, 10)) != -1;
                  ++__first)
             {
+                if (__c >= std::numeric_limits<int>::max() / 10)
+                    __throw_regex_error<regex_constants::error_badbrace>();
                 __c *= 10;
                 __c += __val;
             }

Added: libcxx/trunk/test/std/re/re.grammar/excessive_brace_count.pass.cpp
URL: http://llvm.org/viewvc/llvm-project/libcxx/trunk/test/std/re/re.grammar/excessive_brace_count.pass.cpp?rev=316172&view=auto
==============================================================================
--- libcxx/trunk/test/std/re/re.grammar/excessive_brace_count.pass.cpp (added)
+++ libcxx/trunk/test/std/re/re.grammar/excessive_brace_count.pass.cpp Thu Oct 19 10:39:16 2017
@@ -0,0 +1,40 @@
+//===----------------------------------------------------------------------===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is dual licensed under the MIT and the University of Illinois Open
+// Source Licenses. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+
+// <regex>
+// UNSUPPORTED: libcpp-no-exceptions
+// UNSUPPORTED: c++03
+
+// the "n" in `a{n}` should be within the numeric limits.
+
+#include <regex>
+#include <cassert>
+
+int main() {
+  for (std::regex_constants::syntax_option_type op :
+       {std::regex::basic, std::regex::grep}) {
+    try {
+      (void)std::regex("a\\{100000000000000000\\}", op);
+      assert(false);
+    } catch (const std::regex_error &e) {
+      assert(e.code() == std::regex_constants::error_badbrace);
+    }
+  }
+  for (std::regex_constants::syntax_option_type op :
+       {std::regex::ECMAScript, std::regex::extended, std::regex::egrep,
+        std::regex::awk}) {
+    try {
+      (void)std::regex("a{100000000000000000}", op);
+      assert(false);
+    } catch (const std::regex_error &e) {
+      assert(e.code() == std::regex_constants::error_badbrace);
+    }
+  }
+  return 0;
+}

More information about the cfe-commits mailing list