Cypherpunks repositories - gostls13.git/commit

author	Russ Cox <rsc@golang.org>
	Wed, 28 Sep 2022 15:18:51 +0000 (11:18 -0400)
committer	Carlos Amedee <carlos@golang.org>
	Tue, 4 Oct 2022 17:08:16 +0000 (17:08 +0000)
commit	645abfe529dc325e16daa17210640c2907d1c17a
tree	014982187b50ffd5e3a53db864ea3562a1e03bf6	tree
parent	4fa773cdefd20be093c84f731be7d4febf5536fa	commit \| diff

[release-branch.go1.19] regexp: limit size of parsed regexps

Set a 128 MB limit on the amount of space used by []syntax.Inst
in the compiled form corresponding to a given regexp.

Also set a 128 MB limit on the rune storage in the *syntax.Regexp
tree itself.

Thanks to Adam Korczynski (ADA Logics) and OSS-Fuzz for reporting this issue.

Fixes CVE-2022-41715.
Updates #55949.
Fixes #55951.

Change-Id: Ia656baed81564436368cf950e1c5409752f28e1b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1592047
Reviewed-by: Julie Qiu <julieqiu@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Run-TryBot: Roland Shoemaker <bracewell@google.com>
TryBot-Result: Security TryBots <security-trybots@go-security-trybots.iam.gserviceaccount.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/438499
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Run-TryBot: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>

src/regexp/syntax/parse.go		diff \| blob \| history
src/regexp/syntax/parse_test.go		diff \| blob \| history