From 32d596da36758446331c4202dad9494329545ec2 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Wed, 2 Feb 2022 13:53:00 +0100 Subject: lib: fix infinite loop on empty regexp matches in uc_split() The regular expression `/()/` will match the empty string, causing the match loop to never advance. Add extra logic to deal with this case, similar to the empty separator string logic. Signed-off-by: Jo-Philipp Wich --- lib.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'lib.c') diff --git a/lib.c b/lib.c index e204ded..6235470 100644 --- a/lib.c +++ b/lib.c @@ -927,9 +927,18 @@ uc_split(uc_vm_t *vm, size_t nargs) if (res == REG_NOMATCH) break; - ucv_array_push(arr, ucv_string_new_length(splitstr, pmatch.rm_so)); + if (pmatch.rm_so != pmatch.rm_eo) { + ucv_array_push(arr, ucv_string_new_length(splitstr, pmatch.rm_so)); + splitstr += pmatch.rm_eo; + } + else if (*splitstr) { + ucv_array_push(arr, ucv_string_new_length(splitstr, 1)); + splitstr++; + } + else { + goto out; + } - splitstr += pmatch.rm_eo; eflags |= REG_NOTBOL; } @@ -956,6 +965,7 @@ uc_split(uc_vm_t *vm, size_t nargs) return NULL; } +out: return arr; } -- cgit v1.2.3 From 3ad57f116631029263cdbb324a20076006a94d4c Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 3 Feb 2022 11:25:31 +0100 Subject: lib: fix infinite loop on empty regexp matches in uc_match() The regular expression `/()/` will match the empty string, causing the match loop to never advance. Add extra logic to deal with this case. Signed-off-by: Jo-Philipp Wich --- lib.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) (limited to 'lib.c') diff --git a/lib.c b/lib.c index 6235470..ab04b32 100644 --- a/lib.c +++ b/lib.c @@ -1804,7 +1804,13 @@ uc_match(uc_vm_t *vm, size_t nargs) ucv_array_push(rv, m); - p += pmatch[0].rm_eo; + if (pmatch[0].rm_so != pmatch[0].rm_eo) + p += pmatch[0].rm_eo; + else if (*p) + p++; + else + break; + eflags |= REG_NOTBOL; } else { -- cgit v1.2.3 From 5d0ecd9aefee1be2b51713f7343939b7039a0406 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 3 Feb 2022 11:26:31 +0100 Subject: lib: fix infinite loop on empty regexp matches in uc_replace() The regular expression `/()/` will match the empty string, causing the match loop to never advance. Add extra logic to deal with this case, similar to the empty separator string logic. Apply a similar exception to replacements of empty search strings, those should yield the same result as empty regexp matches. Signed-off-by: Jo-Philipp Wich --- lib.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) (limited to 'lib.c') diff --git a/lib.c b/lib.c index ab04b32..7ae9a51 100644 --- a/lib.c +++ b/lib.c @@ -1975,7 +1975,12 @@ uc_replace(uc_vm_t *vm, size_t nargs) uc_replace_str(vm, replace, p, pmatch, ARRAY_SIZE(pmatch), resbuf); } - p += pmatch[0].rm_eo; + if (pmatch[0].rm_so != pmatch[0].rm_eo) + p += pmatch[0].rm_eo; + else if (*p) + ucv_stringbuf_addstr(resbuf, p++, 1); + else + break; if (re->global) eflags |= REG_NOTBOL; @@ -1989,8 +1994,10 @@ uc_replace(uc_vm_t *vm, size_t nargs) pt = uc_cast_string(vm, &pattern, &pt_freeable); pl = strlen(pt); - for (l = p = sb; *p; p++) { - if (!strncmp(p, pt, pl)) { + l = p = sb; + + while (true) { + if (pl == 0 || !strncmp(p, pt, pl)) { ucv_stringbuf_addstr(resbuf, l, p - l); pmatch[0].rm_so = p - l; @@ -2013,9 +2020,17 @@ uc_replace(uc_vm_t *vm, size_t nargs) uc_replace_str(vm, replace, l, pmatch, 1, resbuf); } - l = p + pl; - p += pl - 1; + if (pl) { + l = p + pl; + p += pl - 1; + } + else { + l = p; + } } + + if (!*p++) + break; } ucv_stringbuf_addstr(resbuf, l, strlen(l)); -- cgit v1.2.3 From d5003fde57eab19588da7bfdbaefe93d47435eb6 Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Thu, 3 Feb 2022 11:49:14 +0100 Subject: lib: fix leaking tokener in uc_json() on parse exception Signed-off-by: Jo-Philipp Wich --- lib.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) (limited to 'lib.c') diff --git a/lib.c b/lib.c index 7ae9a51..5ad08e7 100644 --- a/lib.c +++ b/lib.c @@ -2048,10 +2048,10 @@ uc_replace(uc_vm_t *vm, size_t nargs) static uc_value_t * uc_json(uc_vm_t *vm, size_t nargs) { - uc_value_t *rv, *src = uc_fn_arg(0); + uc_value_t *rv = NULL, *src = uc_fn_arg(0); struct json_tokener *tok = NULL; enum json_tokener_error err; - json_object *jso; + json_object *jso = NULL; const char *str; size_t len; @@ -2073,32 +2073,30 @@ uc_json(uc_vm_t *vm, size_t nargs) err = json_tokener_get_error(tok); if (err == json_tokener_continue) { - json_object_put(jso); uc_vm_raise_exception(vm, EXCEPTION_SYNTAX, "Unexpected end of string in JSON data"); - return NULL; + goto out; } else if (err != json_tokener_success) { - json_object_put(jso); uc_vm_raise_exception(vm, EXCEPTION_SYNTAX, "Failed to parse JSON string: %s", json_tokener_error_desc(err)); - return NULL; + goto out; } else if (json_tokener_get_parse_end(tok) < len) { - json_object_put(jso); uc_vm_raise_exception(vm, EXCEPTION_SYNTAX, "Trailing garbage after JSON data"); - return NULL; + goto out; } - json_tokener_free(tok); rv = ucv_from_json(vm, jso); +out: + json_tokener_free(tok); json_object_put(jso); return rv; -- cgit v1.2.3