ref: 7f50591861525f76e3ec7a63392656ff8c030af9
parent: 93447649b5d032093a81ac0b7402fd5623f2f76c
author: Tor Andersson <tor.andersson@artifex.com>
date: Wed Jan 2 11:01:32 EST 2019
Bug 700429: Limit size of input regular expression program. The size of the parsed syntax list could overflow. Allowing it to be bigger than the compiled program makes no sense, so use the same size limit when parsing as when compiling.
--- a/regexp.c
+++ b/regexp.c
@@ -836,6 +836,8 @@
if (!g.prog)
die(&g, "cannot allocate regular expression");
n = strlen(pattern) * 2;
+ if (n > MAXPROG)
+ die(&g, "program too large");
if (n > 0) {g.pstart = g.pend = alloc(ctx, NULL, sizeof (Renode) * n);
if (!g.pstart)