Integer overflow issues in URX_BUILD (source/i18n/regeximp.h)
val is expected to be a 24-bit integer, and can overflow into type if it can be
Issues occur in RegexCompile::doParseActions in a large proportion of
instructions, and as a result of the compiled pattern size, the frame size or
the data size being larger than 0x1000000.
Two examples with regexes to trigger the issue:
1) '()' * (0x1000000 / 3) triggers the issue in doOpenCaptureParen
2) Heap underflow after converting URX_STO_SP to URX_LD_SP
This will compile to the following bytecode:
If this is matched against the string 'BCD' this will result in the following calculation
This has triggered a heap underflow in URX_LD_SP:
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a
broadly available patch, then the bug report will automatically become visible
to the public.