Mercurial > njs

changeset 2590:a4061187dd87

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Fixed RegExp compilation after 17124c81. Previously, heap-buffer-overflow happened due to incorrect copying of [...] regexp parts. Found by OSS-Fuzz.
author Dmitry Volyntsev <xeioex@nginx.com>
date Thu, 03 Jul 2025 16:53:33 -0700
parents 579688a17e37
children deb802c9b713
files external/njs_regex.c src/test/njs_unit_test.c
diffstat 2 files changed, 24 insertions(+), 1 deletions(-) [+]
line wrap: on
line diff
--- a/external/njs_regex.c	Fri Jun 27 09:45:48 2025 -0700
+++ b/external/njs_regex.c	Thu Jul 03 16:53:33 2025 -0700
@@ -177,11 +177,16 @@
                 continue;
 
             } else {
-                *dst++ = *p;
+                *dst++ = *p++; /* Copy '['. */
+
                 while (p < end && *p != ']') {
                     *dst++ = *p++;
                 }
 
+                if (p < end) {
+                    *dst++ = *p; /* Copy ']'. */
+                }
+
                 continue;
             }
         }
@@ -189,6 +194,8 @@
         *dst++ = *p;
     }
 
+    njs_assert(dst == text->start + text->length);
+
     return NJS_OK;
 
 #else
--- a/src/test/njs_unit_test.c	Fri Jun 27 09:45:48 2025 -0700
+++ b/src/test/njs_unit_test.c	Thu Jul 03 16:53:33 2025 -0700
@@ -9556,6 +9556,9 @@
     { njs_str("/["),
       njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
 
+    { njs_str("/[][a"),
+      njs_str("SyntaxError: Unterminated RegExp \"/[][a\" in 1") },
+
     { njs_str("/[\\"),
       njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
 
@@ -9591,11 +9594,24 @@
       njs_str("/\\]cd/") },
 #endif
 
+    { njs_str("RegExp('[][a')"),
+      njs_str("SyntaxError: "
+              njs_pcre_var("pcre_compile2(\"(?!)[a\") failed: missing terminating ] for character class at \"\"",
+                           "pcre_compile(\"[][a\") failed: missing terminating ] for character class")) },
+
+    { njs_str("RegExp('[][a][a')"),
+      njs_str("SyntaxError: "
+              njs_pcre_var("pcre_compile2(\"(?!)[a][a\") failed: missing terminating ] for character class at \"\"",
+                           "pcre_compile(\"[][a][a\") failed: missing terminating ] for character class")) },
+
     { njs_str("RegExp('[\\\\')"),
       njs_str("SyntaxError: "
               njs_pcre_var("pcre_compile2(\"[\\\") failed: \\ at end of pattern at \"\"",
                            "pcre_compile(\"[\\\") failed: \\ at end of pattern")) },
 
+    { njs_str("RegExp('[][a]')"),
+      njs_str(njs_pcre_var("/(?!)[a]/", "/[][a]/")) },
+
     { njs_str("RegExp('\\\\0').source[1]"),
       njs_str("0") },