Follow @Openwall on Twitter for new release announcements and other news
[<prev] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260324153010.GV3520958@port70.net>
Date: Tue, 24 Mar 2026 16:30:10 +0100
From: Szabolcs Nagy <nsz@...t70.net>
To: Rich Felker <dalias@...c.org>
Cc: Simon Resch <simon.resch@...e-intelligence.com>,
	musl@...ts.openwall.com
Subject: Re: regexec infinite loop on self-referential backreference
 pattern

* Rich Felker <dalias@...c.org> [2026-03-24 09:11:36 -0400]:
> On Mon, Mar 23, 2026 at 10:54:55PM +0100, Szabolcs Nagy wrote:
> > Subject: [PATCH] regex: reject invalid \digit back reference in BRE
> > 
> > in BRE \n matches the nth subexpression, but regcomp did not check if
> > the nth subexpression was complete or not, only that there were more
> > subexpressions overall than the largest backref.
> > 
> > fix regcomp to error if the referenced subexpression is incomplete.
> > the bug could cause an infinite loop in regexec:
> > 
> >  regcomp(&re, "\\(^a*\\1\\)*", 0);
> >  regexec(&re, "aa", 0, 0, 0);
> > 
> > so this is a DoS vuln if the pattern is not under control (ERE is not
> > affected).
> 
> Looks good. Except I would not characterize this as a "vuln" because
> BRE is inherently subject to backreferences taking exponential time
> which, for all practical purposes, is the same as infinite time. It's
> an application vuln if it passes untrusted BRE to regcomp.

makes sense, feel free to modify the commit message

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.