|
|
|
|
/*
|
|
|
|
|
* Copyright (c) 1998, 1999 Henry Spencer. All rights reserved.
|
|
|
|
|
*
|
|
|
|
|
* Development of this software was funded, in part, by Cray Research Inc.,
|
|
|
|
|
* UUNET Communications Services Inc., Sun Microsystems Inc., and Scriptics
|
|
|
|
|
* Corporation, none of whom are responsible for the results. The author
|
|
|
|
|
* thanks all of them.
|
|
|
|
|
*
|
|
|
|
|
* Redistribution and use in source and binary forms -- with or without
|
|
|
|
|
* modification -- are permitted for any purpose, provided that
|
|
|
|
|
* redistributions in source form retain this entire copyright notice and
|
|
|
|
|
* indicate the origin and nature of any modifications.
|
|
|
|
|
*
|
|
|
|
|
* I'd appreciate being given credit for this package in the documentation
|
|
|
|
|
* of software which uses it, but that is not a requirement.
|
|
|
|
|
*
|
|
|
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
|
|
|
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
|
|
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
|
|
|
* HENRY SPENCER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
|
|
|
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
|
|
|
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
|
|
|
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
|
|
|
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
|
*
|
|
|
|
|
* src/include/regex/regcustom.h
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* headers if any */
|
|
|
|
|
#include "postgres.h"
|
|
|
|
|
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <limits.h>
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* towlower() and friends should be in <wctype.h>, but some pre-C99 systems
|
|
|
|
|
* declare them in <wchar.h>.
|
|
|
|
|
*/
|
|
|
|
|
#ifdef HAVE_WCHAR_H
|
|
|
|
|
#include <wchar.h>
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef HAVE_WCTYPE_H
|
|
|
|
|
#include <wctype.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include "mb/pg_wchar.h"
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* overrides for regguts.h definitions, if any */
|
|
|
|
|
#define FUNCPTR(name, args) (*name) args
|
|
|
|
|
#define MALLOC(n) malloc(n)
|
|
|
|
|
#define FREE(p) free(VS(p))
|
|
|
|
|
#define REALLOC(p,n) realloc(VS(p),n)
|
|
|
|
|
#define assert(x) Assert(x)
|
|
|
|
|
|
|
|
|
|
/* internal character type and related */
|
|
|
|
|
typedef pg_wchar chr; /* the type itself */
|
|
|
|
|
typedef unsigned uchr; /* unsigned type that will hold a chr */
|
|
|
|
|
typedef int celt; /* type to hold chr, or NOCELT */
|
|
|
|
|
|
|
|
|
|
#define NOCELT (-1) /* celt value which is not valid chr */
|
|
|
|
|
#define CHR(c) ((unsigned char) (c)) /* turn char literal into chr literal */
|
|
|
|
|
#define DIGITVAL(c) ((c)-'0') /* turn chr digit into its value */
|
|
|
|
|
#define CHRBITS 32 /* bits in a chr; must not use sizeof */
|
|
|
|
|
#define CHR_MIN 0x00000000 /* smallest and largest chr; the value */
|
Fix some regex issues with out-of-range characters and large char ranges.
Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a
bad choice because it is outside the range of type "celt" (int32).
Characters approaching that limit could lead to infinite loops in logic
such as "for (c = a; c <= b; c++)" where c is of type celt but the
range bounds are chr. Such loops will work safely only if CHR_MAX+1
is representable in celt, since c must advance to beyond b before the
loop will exit.
Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.
It's highly unlikely that Unicode will ever assign codes that high, and
none of our other backend encodings need characters beyond that either.
In addition to modifying the macro, we have to explicitly enforce character
range restrictions on the values of \u, \U, and \x escape sequences, else
the limit is trivially bypassed.
Also, the code for expanding case-independent character ranges in bracket
expressions had a potential integer overflow in its calculation of the
number of characters it could generate, which could lead to allocating too
small a character vector and then overwriting memory. An attacker with the
ability to supply arbitrary regex patterns could easily cause transient DOS
via server crashes, and the possibility for privilege escalation has not
been ruled out.
Quite aside from the integer-overflow problem, the range expansion code was
unnecessarily inefficient in that it always produced a result consisting of
individual characters, abandoning the knowledge that we had a range to
start with. If the input range is large, this requires excessive memory.
Change it so that the original range is reported as-is, and then we add on
any case-equivalent characters that are outside that range. With this
approach, we can bound the number of individual characters allowed without
sacrificing much. This patch allows at most 100000 individual characters,
which I believe to be more than the number of case pairs existing in
Unicode, so that the restriction will never be hit in practice.
It's still possible for range() to take awhile given a large character code
range, so also add statement-cancel detection to its loop. The downstream
function dovec() also lacked cancel detection, and could take a long time
given a large output from range().
Per fuzz testing by Greg Stark. Back-patch to all supported branches.
Security: CVE-2016-0773
10 years ago
|
|
|
#define CHR_MAX 0x7ffffffe /* CHR_MAX-CHR_MIN+1 must fit in an int, and
|
|
|
|
|
* CHR_MAX+1 must fit in both chr and celt */
|
|
|
|
|
|
|
|
|
|
/* functions operating on chr */
|
|
|
|
|
#define iscalnum(x) pg_wc_isalnum(x)
|
|
|
|
|
#define iscalpha(x) pg_wc_isalpha(x)
|
|
|
|
|
#define iscdigit(x) pg_wc_isdigit(x)
|
|
|
|
|
#define iscspace(x) pg_wc_isspace(x)
|
|
|
|
|
|
|
|
|
|
/* and pick up the standard header */
|
|
|
|
|
#include "regex.h"
|
