From cb64dfb359da7ae10f72792d84b0dd129174b284 Mon Sep 17 00:00:00 2001 From: millert Date: Thu, 2 Apr 2026 14:45:03 +0000 Subject: [PATCH] Prevent integer overflow in regex repetition count Limit the repetition count to 255 like POSIX does. Also avoid a crash when the repetition is the first atom parsed. From Renaud Allard. --- usr.bin/awk/b.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/usr.bin/awk/b.c b/usr.bin/awk/b.c index dddd9e97169..790b6917de1 100644 --- a/usr.bin/awk/b.c +++ b/usr.bin/awk/b.c @@ -1,4 +1,4 @@ -/* $OpenBSD: b.c,v 1.55 2025/02/05 20:32:56 millert Exp $ */ +/* $OpenBSD: b.c,v 1.56 2026/04/02 14:45:03 millert Exp $ */ /**************************************************************** Copyright (C) Lucent Technologies 1997 All Rights Reserved @@ -1214,6 +1214,9 @@ replace_repeat(const uschar *reptok, int reptoklen, const uschar *atom, static int repeat(const uschar *reptok, int reptoklen, const uschar *atom, int atomlen, int firstnum, int secondnum) { + if (atom == NULL) + return 0; + /* In general, the repetition specifier or "bound" is replaced here by an equivalent ERE string, repeating the immediately previous atom @@ -1461,6 +1464,9 @@ rescan: lastre); } else if (isdigit(c)) { num = 10 * num + c - '0'; + if (num > _POSIX_RE_DUP_MAX) + FATAL("repetition count %.20s too large", + lastre); digitfound = true; } else if (c == ',') { if (commafound)