public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libstdc++/106607] New: Regex integer overflow on large backreference value
@ 2022-08-13  9:26 fsb4000 at yandex dot ru
  2022-09-07 14:16 ` [Bug libstdc++/106607] " cvs-commit at gcc dot gnu.org
                   ` (4 more replies)
  0 siblings, 5 replies; 6+ messages in thread
From: fsb4000 at yandex dot ru @ 2022-08-13  9:26 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

            Bug ID: 106607
           Summary: Regex integer overflow on large backreference value
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: fsb4000 at yandex dot ru
  Target Milestone: ---

Hello!
I was fixing some MS STL issues with regex: GH-2168: integer overflow on large
backreference value and I added a test.
After that I decided to try my test with LLVM libc++ and GNU libstdc++.
LLVM libc++ passes my test.
and libstdc++ doesn't pass it.

```
#include <cassert>
#include <regex>

using namespace std;

// GH-2168 <regex>: integer overflow on large backreference value
int main() {
    try {
        // 4294967297 = 1 mod 2^32, so this will succeed if we don't check for
overflow.
        regex testRegex{R"((a)\4294967297)", regex_constants::ECMAScript};
        assert(false);
    } catch (const regex_error& e) {
        assert(e.code() == regex_constants::error_backref);
    }
}
```

https://gcc.godbolt.org/z/nzET6nvxo

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libstdc++/106607] Regex integer overflow on large backreference value
  2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
@ 2022-09-07 14:16 ` cvs-commit at gcc dot gnu.org
  2022-09-07 17:49 ` cvs-commit at gcc dot gnu.org
                   ` (3 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-09-07 14:16 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:

https://gcc.gnu.org/g:87da20c6e280925d885c5472de9189515f46880b

commit r12-8746-g87da20c6e280925d885c5472de9189515f46880b
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Mon Aug 22 15:16:16 2022 +0100

    libstdc++: Check for overflow in regex back-reference [PR106607]

    Currently we fail to notice integer overflow when parsing a
    back-reference expression, or when converting the parsed result from
    long to int. This changes the result to be int, so no conversion is
    needed, and uses the overflow-checking built-ins to detect an
    out-of-range back-reference.

    libstdc++-v3/ChangeLog:

            PR libstdc++/106607
            * include/bits/regex_compiler.tcc (_Compiler::_M_cur_int_value):
            Use built-ins to check for integer overflow in back-reference
            number.
            * testsuite/28_regex/basic_regex/106607.cc: New test.

    (cherry picked from commit 1b09eea33f2bf9d1eae73b25cc25efb05ea1dc3f)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libstdc++/106607] Regex integer overflow on large backreference value
  2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
  2022-09-07 14:16 ` [Bug libstdc++/106607] " cvs-commit at gcc dot gnu.org
@ 2022-09-07 17:49 ` cvs-commit at gcc dot gnu.org
  2022-09-07 17:54 ` redi at gcc dot gnu.org
                   ` (2 subsequent siblings)
  4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2022-09-07 17:49 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-11 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:

https://gcc.gnu.org/g:d023d805d9e20c3f46654dc7ea96c9228d650ddb

commit r11-10243-gd023d805d9e20c3f46654dc7ea96c9228d650ddb
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Mon Aug 22 15:16:16 2022 +0100

    libstdc++: Check for overflow in regex back-reference [PR106607]

    Currently we fail to notice integer overflow when parsing a
    back-reference expression, or when converting the parsed result from
    long to int. This changes the result to be int, so no conversion is
    needed, and uses the overflow-checking built-ins to detect an
    out-of-range back-reference.

    libstdc++-v3/ChangeLog:

            PR libstdc++/106607
            * include/bits/regex_compiler.tcc (_Compiler::_M_cur_int_value):
            Use built-ins to check for integer overflow in back-reference
            number.
            * testsuite/28_regex/basic_regex/106607.cc: New test.

    (cherry picked from commit 1b09eea33f2bf9d1eae73b25cc25efb05ea1dc3f)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libstdc++/106607] Regex integer overflow on large backreference value
  2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
  2022-09-07 14:16 ` [Bug libstdc++/106607] " cvs-commit at gcc dot gnu.org
  2022-09-07 17:49 ` cvs-commit at gcc dot gnu.org
@ 2022-09-07 17:54 ` redi at gcc dot gnu.org
  2023-06-23 16:12 ` cvs-commit at gcc dot gnu.org
  2023-06-23 16:19 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2022-09-07 17:54 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED
   Target Milestone|---                         |11.4

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Fixed for 12.3 and 11.4

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libstdc++/106607] Regex integer overflow on large backreference value
  2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
                   ` (2 preceding siblings ...)
  2022-09-07 17:54 ` redi at gcc dot gnu.org
@ 2023-06-23 16:12 ` cvs-commit at gcc dot gnu.org
  2023-06-23 16:19 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-06-23 16:12 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Jonathan Wakely
<redi@gcc.gnu.org>:

https://gcc.gnu.org/g:fab3692a2cf961b7364d7f77dd976ba0e4f752b7

commit r10-11467-gfab3692a2cf961b7364d7f77dd976ba0e4f752b7
Author: Jonathan Wakely <jwakely@redhat.com>
Date:   Mon Aug 22 15:16:16 2022 +0100

    libstdc++: Check for overflow in regex back-reference [PR106607]

    Currently we fail to notice integer overflow when parsing a
    back-reference expression, or when converting the parsed result from
    long to int. This changes the result to be int, so no conversion is
    needed, and uses the overflow-checking built-ins to detect an
    out-of-range back-reference.

    libstdc++-v3/ChangeLog:

            PR libstdc++/106607
            * include/bits/regex_compiler.tcc (_Compiler::_M_cur_int_value):
            Use built-ins to check for integer overflow in back-reference
            number.
            * testsuite/28_regex/basic_regex/106607.cc: New test.

    (cherry picked from commit 1b09eea33f2bf9d1eae73b25cc25efb05ea1dc3f)

^ permalink raw reply	[flat|nested] 6+ messages in thread
* [Bug libstdc++/106607] Regex integer overflow on large backreference value
  2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
                   ` (3 preceding siblings ...)
  2023-06-23 16:12 ` cvs-commit at gcc dot gnu.org
@ 2023-06-23 16:19 ` redi at gcc dot gnu.org
  4 siblings, 0 replies; 6+ messages in thread
From: redi at gcc dot gnu.org @ 2023-06-23 16:19 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106607

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|11.4                        |10.5

--- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Backported for 10.5 too.

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-06-23 16:19 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-13  9:26 [Bug libstdc++/106607] New: Regex integer overflow on large backreference value fsb4000 at yandex dot ru
2022-09-07 14:16 ` [Bug libstdc++/106607] " cvs-commit at gcc dot gnu.org
2022-09-07 17:49 ` cvs-commit at gcc dot gnu.org
2022-09-07 17:54 ` redi at gcc dot gnu.org
2023-06-23 16:12 ` cvs-commit at gcc dot gnu.org
2023-06-23 16:19 ` redi at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).