From 897d1f7fd515b828e4b198d8b8bef76c6faf03ed Mon Sep 17 00:00:00 2001 From: John Lightsey Date: Wed, 20 Nov 2019 20:02:45 -0600 Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex quantifiers. (CVE-2020-10543) On 32bit systems the size calculations for nested regular expression quantifiers could overflow causing heap memory corruption. Fixes: Perl/perl5-security#125 (cherry picked from commit bfd31397db5dc1a5c5d3e0a1f753a4f89a736e71) Upstream-Status: Backport [https://github.com/perl/perl5/commit/897d1f7fd515b828e4b198d8b8bef76c6faf03ed] CVE: CVE-2020-10543 Signed-off-by: Lee Chee Yang --- regcomp.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/regcomp.c b/regcomp.c index 93c8d98fbb0..5f86be8086d 100644 --- a/regcomp.c +++ b/regcomp.c @@ -5489,6 +5489,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, RExC_precomp))); } + if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext ) + || min >= SSize_t_MAX - minnext * mincount ) + { + FAIL("Regexp out of space"); + } + min += minnext * mincount; is_inf_internal |= deltanext == SSize_t_MAX || (maxcount == REG_INFTY && minnext + deltanext > 0);