Blob Blame History Raw
From 400034faee44b65a5e33014e7ce4edcfcfba870f Mon Sep 17 00:00:00 2001
From: Michael Santos <michael.santos@gmail.com>
Date: Thu, 18 Mar 2010 20:08:10 -0400
Subject: [PATCH 6/7] Fix check for compile workspace overflow

Patch from:
http://vcs.pcre.org/viewvc/code/trunk/pcre_compile.c?r1=504&r2=505&view=patch

Test case:
N = 819, re:compile([lists:duplicate(N, $(), lists:duplicate(N, $))]).

Compiling large regular expressions could overflow the workspace
buffer. Modify the test to check for a value smaller than the buffer
size.
---
 erts/emulator/pcre/pcre_compile.c |    9 +++++++--
 1 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/erts/emulator/pcre/pcre_compile.c b/erts/emulator/pcre/pcre_compile.c
index 2974336..9508c5a 100644
--- a/erts/emulator/pcre/pcre_compile.c
+++ b/erts/emulator/pcre/pcre_compile.c
@@ -92,6 +92,11 @@ is 4 there is plenty of room. */
 
 #define COMPILE_WORK_SIZE (4096)
 
+/* The overrun tests check for a slightly smaller size so that they detect the
+overrun before it actually does run off the end of the data block. */
+
+#define WORK_SIZE_CHECK (COMPILE_WORK_SIZE - 100)
+
 
 /* Table for handling escaped characters in the range '0'-'z'. Positive returns
 are simple data values; negative values are for special things like \d and so
@@ -2445,7 +2450,7 @@ for (;; ptr++)
 #ifdef DEBUG
     if (code > cd->hwm) cd->hwm = code;                 /* High water info */
 #endif
-    if (code > cd->start_workspace + COMPILE_WORK_SIZE) /* Check for overrun */
+    if (code > cd->start_workspace + WORK_SIZE_CHECK)   /* Check for overrun */
       {
       *errorcodeptr = ERR52;
       goto FAILED;
@@ -2494,7 +2499,7 @@ for (;; ptr++)
   /* In the real compile phase, just check the workspace used by the forward
   reference list. */
 
-  else if (cd->hwm > cd->start_workspace + COMPILE_WORK_SIZE)
+  else if (cd->hwm > cd->start_workspace + WORK_SIZE_CHECK)
     {
     *errorcodeptr = ERR52;
     goto FAILED;
-- 
1.6.6.1