Limit wide characters to 8 hex digits.

This fixes a buffer overflow which was reported in laurikari#37.
dag-erling · Jul 30, 2024 · a0cafd4 · a0cafd4
1 parent c7cc774
commit a0cafd4
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 4 deletions.
diff --git a/lib/tre-parse.c b/lib/tre-parse.c
@@ -1484,15 +1484,15 @@ tre_parse(tre_parse_ctx_t *ctx)
 		  else if (ctx->re < ctx->re_end)
 		    {
 		      /* Wide char. */
-		      char tmp[32];
+		      char tmp[9]; /* max 8 hex digits + terminator */
 		      long val;
 		      int i = 0;
 		      ctx->re++;
 		      while (ctx->re_end - ctx->re >= 0)
 			{
 			  if (ctx->re[0] == CHAR_RBRACE)
 			    break;
-			  if (tre_isxdigit(ctx->re[0]))
+			  if (tre_isxdigit(ctx->re[0]) && i < sizeof(tmp) - 1)
 			    {
 			      tmp[i] = (char)ctx->re[0];
 			      i++;

diff --git a/tests/retest.c b/tests/retest.c
@@ -1388,8 +1388,8 @@ main(int argc, char **argv)
   test_nexec("\000", 1, 0, REG_OK, 0, 1, END);
   test_comp("\\x{}r", REG_EXTENDED, 0);
   test_nexec("\000r", 2, 0, REG_OK, 0, 2, END);
-  test_comp("\\x{00000000000000000000000000000000}", REG_EXTENDED, 0);
-  test_comp("\\x{000000000000000000000000000000000}", REG_EXTENDED, REG_EBRACE);
+  test_comp("\\x{00000000}", REG_EXTENDED, 0);
+  test_comp("\\x{000000000}", REG_EXTENDED, REG_EBRACE);
 
   /* Tests for (?inrU-inrU) and (?inrU-inrU:) */
   test_comp("foo(?i)bar", REG_EXTENDED, 0);