Integer overflow issue in URX_BUILD

Description

Integer overflow issues in URX_BUILD (source/i18n/regeximp.h)

val is expected to be a 24-bit integer, and can overflow into type if it can be
larger.

Issues occur in RegexCompile::doParseActions in a large proportion of
instructions, and as a result of the compiled pattern size, the frame size or
the data size being larger than 0x1000000.

Two examples with regexes to trigger the issue:

1) '()' * (0x1000000 / 3) triggers the issue in doOpenCaptureParen

2) Heap underflow after converting URX_STO_SP to URX_LD_SP

This will compile to the following bytecode:

If this is matched against the string 'BCD' this will result in the following calculation

This has triggered a heap underflow in URX_LD_SP:

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a
broadly available patch, then the bug report will automatically become visible
to the public.

Assignee

Andy Heninger

Reporter

TracBot

Components

Reviewer

None

Priority

assess

Time Needed

None

Fix versions

Configure