[njs] Fixed heap-buffer-overflow while parsing regexp literals.

[Dmitry Volyntsev]

details:   https://hg.nginx.org/njs/rev/12e9519e7eb4
branches:  
changeset: 1143:12e9519e7eb4
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Mon Aug 26 19:00:13 2019 +0300
description:
Fixed heap-buffer-overflow while parsing regexp literals.

This closes #174 issue on Github.

diffstat:

 src/njs_regexp.c         |  14 +++++++++++---
 src/test/njs_unit_test.c |  12 ++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diffs (69 lines):

diff -r a3e8a7a51161 -r 12e9519e7eb4 src/njs_regexp.c
--- a/src/njs_regexp.c	Fri Aug 23 20:00:40 2019 +0300
+++ b/src/njs_regexp.c	Mon Aug 26 19:00:13 2019 +0300
@@ -333,14 +333,22 @@ njs_regexp_literal(njs_vm_t *vm, njs_par
             goto failed;
 
         case '[':
-            while (++p < lexer->end && *p != ']') {
+            while (1) {
+                if (++p >= lexer->end) {
+                    goto failed;
+                }
+
+                if (*p == ']') {
+                    break;
+                }
+
                 switch (*p) {
                 case '\n':
                 case '\r':
                     goto failed;
 
                 case '\\':
-                    if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+                    if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                         goto failed;
                     }
 
@@ -351,7 +359,7 @@ njs_regexp_literal(njs_vm_t *vm, njs_par
             break;
 
         case '\\':
-            if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+            if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                 goto failed;
             }
 
diff -r a3e8a7a51161 -r 12e9519e7eb4 src/test/njs_unit_test.c
--- a/src/test/njs_unit_test.c	Fri Aug 23 20:00:40 2019 +0300
+++ b/src/test/njs_unit_test.c	Mon Aug 26 19:00:13 2019 +0300
@@ -5877,9 +5877,18 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("/]/"),
       njs_str("/\\]/") },
 
+    { njs_str("/["),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
+
+    { njs_str("/[\\"),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
+
     { njs_str("RegExp(']')"),
       njs_str("/\\]/") },
 
+    { njs_str("RegExp('[\\\\')"),
+      njs_str("SyntaxError: pcre_compile(\"[\\\") failed: \\ at end of pattern") },
+
     { njs_str("RegExp('[\\\\\\\\]]')"),
       njs_str("/[\\\\]\\]/") },
 
@@ -7859,6 +7868,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("new RegExp('[')"),
       njs_str("SyntaxError: pcre_compile(\"[\") failed: missing terminating ] for character class") },
 
+    { njs_str("new RegExp('['.repeat(16))"),
+      njs_str("SyntaxError: pcre_compile(\"[[[[[[[[[[[[[[[[\") failed: missing terminating ] for character class") },
+
     { njs_str("new RegExp('\\\\')"),
       njs_str("SyntaxError: pcre_compile(\"\\\") failed: \\ at end of pattern") },