From e7de1bc0979ad81789864e6c2d346a5c16f28ad2 Mon Sep 17 00:00:00 2001 From: Tom Lane Date: Fri, 2 Oct 2015 14:51:59 -0400 Subject: Add recursion depth protections to regular expression matching. Some of the functions in regex compilation and execution recurse, and therefore could in principle be driven to stack overflow. The Tcl crew has seen this happen in practice in duptraverse(), though their fix was to put in a hard-wired limit on the number of recursive levels, which is not too appetizing --- fortunately, we have enough infrastructure to check the actually available stack. Greg Stark has also seen it in other places while fuzz testing on a machine with limited stack space. Let's put guards in to prevent crashes in all these places. Since the regex code would leak memory if we simply threw elog(ERROR), we have to introduce an API that checks for stack depth without throwing such an error. Fortunately that's not difficult. --- src/backend/regex/rege_dfa.c | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'src/backend/regex/rege_dfa.c') diff --git a/src/backend/regex/rege_dfa.c b/src/backend/regex/rege_dfa.c index 15ef1d8ef9b..1ef601999b8 100644 --- a/src/backend/regex/rege_dfa.c +++ b/src/backend/regex/rege_dfa.c @@ -628,6 +628,13 @@ lacon(struct vars * v, struct smalldfa sd; chr *end; + /* Since this is recursive, it could be driven to stack overflow */ + if (STACK_TOO_DEEP(v->re)) + { + ERR(REG_ETOOBIG); + return 0; + } + n = co - pcnfa->ncolors; assert(n < v->g->nlacons && v->g->lacons != NULL); FDEBUG(("=== testing lacon %d\n", n)); -- cgit v1.2.3