Issue #17016: Get rid of possible pointer wraparounds and integer overflows

in the re module. Patch by Nickolai Zeldovich.

Issue #17016: Get rid of possible pointer wraparounds and integer overflows
in the re module. Patch by Nickolai Zeldovich.
6d800466 · Serhiy Storchaka · d24abee4 · 4bb17348 · 6d800466 · 6d800466
Commit 6d800466 authored Apr 13, 2013 by Serhiy Storchaka
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 11 deletions

Misc/ACKS Misc/ACKS +1 -0

Misc/NEWS Misc/NEWS +3 -0

Modules/_sre.c Modules/_sre.c +11 -11

No files found.
--- a/Misc/ACKS
+++ b/Misc/ACKS
@@ -1371,6 +1371,7 @@ Milan Zamazal
 Artur Zaprzala
 Mike Zarnstorff
 Siebren van der Zee
+Nickolai Zeldovich
 Yuxiao Zeng
 Uwe Zessin
 Cheng Zhang

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -42,6 +42,9 @@ Core and Builtins
 Library
 -------

+- Issue #17016: Get rid of possible pointer wraparounds and integer overflows
+  in the re module.  Patch by Nickolai Zeldovich.
+
 - Issue #16658: add missing return to HTTPConnection.send()
  Patch by Jeff Knupp.


--- a/Modules/_sre.c
+++ b/Modules/_sre.c
@@ -655,7 +655,7 @@ do { \
    alloc_pos = state->data_stack_base; \
    TRACE(("allocating %s in %d (%d)\n", \
           SFY(type), alloc_pos, sizeof(type))); \
-    if (state->data_stack_size < alloc_pos+sizeof(type)) { \
+    if (sizeof(type) > state->data_stack_size - alloc_pos) { \
        int j = data_stack_grow(state, sizeof(type)); \
        if (j < 0) return j; \
        if (ctx_pos != -1) \
@@ -675,7 +675,7 @@ do { \
 do { \
    TRACE(("copy data in %p to %d (%d)\n", \
           data, state->data_stack_base, size)); \
-    if (state->data_stack_size < state->data_stack_base+size) { \
+    if (size > state->data_stack_size - state->data_stack_base) { \
        int j = data_stack_grow(state, size); \
        if (j < 0) return j; \
        if (ctx_pos != -1) \
@@ -997,7 +997,7 @@ entrance:
            TRACE(("|%p|%p|REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr,
                   ctx->pattern[1], ctx->pattern[2]));

-            if (ctx->ptr + state->charsize * ctx->pattern[1] > end)
+            if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize)
                RETURN_FAILURE; /* cannot match */

            state->ptr = ctx->ptr;
@@ -1081,7 +1081,7 @@ entrance:
            TRACE(("|%p|%p|MIN_REPEAT_ONE %d %d\n", ctx->pattern, ctx->ptr,
                   ctx->pattern[1], ctx->pattern[2]));

-            if (ctx->ptr + state->charsize * ctx->pattern[1] > end)
+            if (ctx->pattern[1] > (end - ctx->ptr) / state->charsize)
                RETURN_FAILURE; /* cannot match */

            state->ptr = ctx->ptr;
@@ -2779,7 +2779,7 @@ _compile(PyObject* self_, PyObject* args)
        skip = *code;                                   \
        VTRACE(("%lu (skip to %p)\n",                   \
               (unsigned long)skip, code+skip));        \
-        if (code+skip-adj < code || code+skip-adj > end)\
+        if (skip-adj > end-code)                        \
            FAIL;                                       \
        code++;                                         \
    } while (0)
@@ -2812,7 +2812,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)

        case SRE_OP_CHARSET:
            offset = 32/sizeof(SRE_CODE); /* 32-byte bitmap */
-            if (code+offset < code || code+offset > end)
+            if (offset > end-code)
                FAIL;
            code += offset;
            break;
@@ -2820,7 +2820,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)
        case SRE_OP_BIGCHARSET:
            GET_ARG; /* Number of blocks */
            offset = 256/sizeof(SRE_CODE); /* 256-byte table */
-            if (code+offset < code || code+offset > end)
+            if (offset > end-code)
                FAIL;
            /* Make sure that each byte points to a valid block */
            for (i = 0; i < 256; i++) {
@@ -2829,7 +2829,7 @@ _validate_charset(SRE_CODE *code, SRE_CODE *end)
            }
            code += offset;
            offset = arg * 32/sizeof(SRE_CODE); /* 32-byte bitmap times arg */
-            if (code+offset < code || code+offset > end)
+            if (offset > end-code)
                FAIL;
            code += offset;
            break;
@@ -2980,11 +2980,11 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
                    GET_ARG; prefix_len = arg;
                    GET_ARG;
                    /* Here comes the prefix string */
-                    if (code+prefix_len < code || code+prefix_len > newcode)
+                    if (prefix_len > newcode-code)
                        FAIL;
                    code += prefix_len;
                    /* And here comes the overlap table */
-                    if (code+prefix_len < code || code+prefix_len > newcode)
+                    if (prefix_len > newcode-code)
                        FAIL;
                    /* Each overlap value should be < prefix_len */
                    for (i = 0; i < prefix_len; i++) {
@@ -3113,7 +3113,7 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
               to allow arbitrary jumps anywhere in the code; so we just look
               for a JUMP opcode preceding our skip target.
            */
-            if (skip >= 3 && code+skip-3 >= code &&
+            if (skip >= 3 && skip-3 < end-code &&
                code[skip-3] == SRE_OP_JUMP)
            {
                VTRACE(("both then and else parts present\n"));