commit 3fdce6cf2c4d360c27c98d05e530d39317d23c68
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Mon Aug 2 10:49:41 2021 +0200
VRE: bounds check back references in VRE_sub()
Before 6014912e74de7989e37b7be2737cef370b7147ba, VRE_sub() used an
ovector of size 30, which always containted sufficient space to store
the 10 possible back- references \0 thorugh \9.
Now that we use pcre2_match_data_create_from_pattern() and later
pcre2_get_ovector_pointer(), we only get space for the number of
substrings in the pattern, see pcre2api(3):
The ovector is created to be exactly the right size to hold
all the substrings a pattern might capture.
Consequently, we need to check that back references do not exceed the
maximum ovector.
diff --git a/bin/varnishtest/tests/c00001.vtc b/bin/varnishtest/tests/c00001.vtc
index e301e4d09..5a338b2fb 100644
--- a/bin/varnishtest/tests/c00001.vtc
+++ b/bin/varnishtest/tests/c00001.vtc
@@ -23,6 +23,8 @@ varnish v1 -vcl+backend {
regsub(beresp.http.Foobar, "(b)(a)(r)(f)", "\4\&\3\2p\");
set beresp.http.Snafu7 =
regsub(beresp.http.Foobar, "ar", bereq.http.nosuchheader);
+ set beresp.http.inval =
+ regsub(beresp.http.Foobar, "(b)(a)(r)f", "\9\8\7\6\5\4\3\2p");
}
} -start
@@ -40,4 +42,5 @@ client c1 {
expect resp.http.snafu5 == "_barffra\\p_"
expect resp.http.snafu6 == "_f&rap\\_"
expect resp.http.snafu7 == "_bf_"
+ expect resp.http.inval == "_rap_"
} -run
diff --git a/lib/libvarnish/vre.c b/lib/libvarnish/vre.c
index dd8eb70c3..9a8d2cc24 100644
--- a/lib/libvarnish/vre.c
+++ b/lib/libvarnish/vre.c
@@ -231,6 +231,7 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
{
pcre2_match_data *data = NULL;
PCRE2_SIZE *ovector;
+ uint32_t nov;
int i, l;
const char *s;
unsigned x;
@@ -250,6 +251,7 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
do {
AN(data);
ovector = pcre2_get_ovector_pointer(data);
+ nov = pcre2_get_ovector_count(data);
AN(ovector);
/* Copy prefix to match */
@@ -262,6 +264,8 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
s++;
if (isdigit(*s)) {
x = *s - '0';
+ if (x >= nov)
+ continue;
l = ovector[2*x+1] - ovector[2*x];
VSB_bcat(vsb, subject + ovector[2*x], l);
continue;
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit
Author: Nils Goroll <nils.goroll@uplex.de>
Date: Mon Aug 2 10:49:41 2021 +0200
VRE: bounds check back references in VRE_sub()
Before 6014912e74de7989e37b7be2737cef370b7147ba, VRE_sub() used an
ovector of size 30, which always containted sufficient space to store
the 10 possible back- references \0 thorugh \9.
Now that we use pcre2_match_data_create_from_pattern() and later
pcre2_get_ovector_pointer(), we only get space for the number of
substrings in the pattern, see pcre2api(3):
The ovector is created to be exactly the right size to hold
all the substrings a pattern might capture.
Consequently, we need to check that back references do not exceed the
maximum ovector.
diff --git a/bin/varnishtest/tests/c00001.vtc b/bin/varnishtest/tests/c00001.vtc
index e301e4d09..5a338b2fb 100644
--- a/bin/varnishtest/tests/c00001.vtc
+++ b/bin/varnishtest/tests/c00001.vtc
@@ -23,6 +23,8 @@ varnish v1 -vcl+backend {
regsub(beresp.http.Foobar, "(b)(a)(r)(f)", "\4\&\3\2p\");
set beresp.http.Snafu7 =
regsub(beresp.http.Foobar, "ar", bereq.http.nosuchheader);
+ set beresp.http.inval =
+ regsub(beresp.http.Foobar, "(b)(a)(r)f", "\9\8\7\6\5\4\3\2p");
}
} -start
@@ -40,4 +42,5 @@ client c1 {
expect resp.http.snafu5 == "_barffra\\p_"
expect resp.http.snafu6 == "_f&rap\\_"
expect resp.http.snafu7 == "_bf_"
+ expect resp.http.inval == "_rap_"
} -run
diff --git a/lib/libvarnish/vre.c b/lib/libvarnish/vre.c
index dd8eb70c3..9a8d2cc24 100644
--- a/lib/libvarnish/vre.c
+++ b/lib/libvarnish/vre.c
@@ -231,6 +231,7 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
{
pcre2_match_data *data = NULL;
PCRE2_SIZE *ovector;
+ uint32_t nov;
int i, l;
const char *s;
unsigned x;
@@ -250,6 +251,7 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
do {
AN(data);
ovector = pcre2_get_ovector_pointer(data);
+ nov = pcre2_get_ovector_count(data);
AN(ovector);
/* Copy prefix to match */
@@ -262,6 +264,8 @@ VRE_sub(const vre_t *code, const char *subject, const char *replacement,
s++;
if (isdigit(*s)) {
x = *s - '0';
+ if (x >= nov)
+ continue;
l = ovector[2*x+1] - ovector[2*x];
VSB_bcat(vsb, subject + ovector[2*x], l);
continue;
_______________________________________________
varnish-commit mailing list
varnish-commit@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-commit