• Tom Lane's avatar
    Fix some regex issues with out-of-range characters and large char ranges. · 3bb3f42f
    Tom Lane authored
    Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a
    bad choice because it is outside the range of type "celt" (int32).
    Characters approaching that limit could lead to infinite loops in logic
    such as "for (c = a; c <= b; c++)" where c is of type celt but the
    range bounds are chr.  Such loops will work safely only if CHR_MAX+1
    is representable in celt, since c must advance to beyond b before the
    loop will exit.
    
    Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.
    It's highly unlikely that Unicode will ever assign codes that high, and
    none of our other backend encodings need characters beyond that either.
    
    In addition to modifying the macro, we have to explicitly enforce character
    range restrictions on the values of \u, \U, and \x escape sequences, else
    the limit is trivially bypassed.
    
    Also, the code for expanding case-independent character ranges in bracket
    expressions had a potential integer overflow in its calculation of the
    number of characters it could generate, which could lead to allocating too
    small a character vector and then overwriting memory.  An attacker with the
    ability to supply arbitrary regex patterns could easily cause transient DOS
    via server crashes, and the possibility for privilege escalation has not
    been ruled out.
    
    Quite aside from the integer-overflow problem, the range expansion code was
    unnecessarily inefficient in that it always produced a result consisting of
    individual characters, abandoning the knowledge that we had a range to
    start with.  If the input range is large, this requires excessive memory.
    Change it so that the original range is reported as-is, and then we add on
    any case-equivalent characters that are outside that range.  With this
    approach, we can bound the number of individual characters allowed without
    sacrificing much.  This patch allows at most 100000 individual characters,
    which I believe to be more than the number of case pairs existing in
    Unicode, so that the restriction will never be hit in practice.
    
    It's still possible for range() to take awhile given a large character code
    range, so also add statement-cancel detection to its loop.  The downstream
    function dovec() also lacked cancel detection, and could take a long time
    given a large output from range().
    
    Per fuzz testing by Greg Stark.  Back-patch to all supported branches.
    
    Security: CVE-2016-0773
    3bb3f42f
regex.sql 4.58 KB