fix integer overflow when parsing Perl-extended named backrefs

boostorg · Feb 27, 2025 · 54f580b · 54f580b
1 parent 0b64ece
commit 54f580b
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 1 deletion.
diff --git a/include/boost/regex/v5/basic_regex_parser.hpp b/include/boost/regex/v5/basic_regex_parser.hpp
@@ -910,7 +910,20 @@ bool basic_regex_parser<charT, traits>::parse_extended_escape()
             pc = m_position;
          }
          if(negative)
-            i = 1 + (static_cast<std::intmax_t>(m_mark_count) - i);
+         {
+            auto mark_count = static_cast<std::intmax_t>(m_mark_count);
+            auto int_min = std::numeric_limits<std::intmax_t>::min();
+            auto int_max = std::numeric_limits<std::intmax_t>::max();
+
+            if ((i < 0) && (mark_count < int_min - i)) { i = -1; }
+            else if ((i > 0) && (mark_count > int_max - i )) { i = -1; }
+            else 
+            { 
+               i = mark_count - i;
+               if (i >= int_max - 1) { i = -1; }
+               else { i += 1;}
+            }
+         }
          if(((i < hash_value_mask) && (i > 0)) || ((i >= hash_value_mask) && (this->m_pdata->get_id((int)i) > 0)))
          {
             m_position = pc;

diff --git a/test/Jamfile.v2 b/test/Jamfile.v2
@@ -137,6 +137,7 @@ compile test_windows_defs_4.cpp ;
 run issue153.cpp : : : "<toolset>msvc:<linkflags>-STACK:2097152" ;
 run issue227.cpp ;
 run issue232.cpp ;
+run issue245.cpp ;
 run lookbehind_recursion_stress_test.cpp ;
 run regex_replace_overflow.cpp ;
 
diff --git a/test/issue245.cpp b/test/issue245.cpp
@@ -0,0 +1,30 @@
+#include <boost/regex.hpp>
+
+#include <vector>
+#include <string>
+
+#include "test_macros.hpp"
+
+
+int main()
+{
+   // invalid because \k-- is an unterminated token
+   {
+      char const strdata[] = "\\k--00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+   }
+   {
+      char const strdata[] = "\\k-00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+
+   }
+   {
+      char const strdata[] = "\\k00000000000000000000000000000000000000000000000000000000009223372036854775807\xff\xff\xff\xff\xff\xff\xff\xef""99999999999999999999999999999999999]999999999999999\x90";
+      std::string regex_string(strdata, strdata + sizeof(strdata) - 1);
+      BOOST_TEST_THROWS((boost::regex(regex_string)), boost::regex_error);
+
+   }
+   return boost::report_errors();
+}