2003-02-05 18:41:33 +01:00
|
|
|
/*
|
|
|
|
* Copyright (c) 1998, 1999 Henry Spencer. All rights reserved.
|
|
|
|
*
|
|
|
|
* Development of this software was funded, in part, by Cray Research Inc.,
|
|
|
|
* UUNET Communications Services Inc., Sun Microsystems Inc., and Scriptics
|
|
|
|
* Corporation, none of whom are responsible for the results. The author
|
|
|
|
* thanks all of them.
|
|
|
|
*
|
|
|
|
* Redistribution and use in source and binary forms -- with or without
|
|
|
|
* modification -- are permitted for any purpose, provided that
|
|
|
|
* redistributions in source form retain this entire copyright notice and
|
|
|
|
* indicate the origin and nature of any modifications.
|
|
|
|
*
|
|
|
|
* I'd appreciate being given credit for this package in the documentation
|
|
|
|
* of software which uses it, but that is not a requirement.
|
|
|
|
*
|
|
|
|
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
|
|
|
* INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
|
|
* AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
|
|
|
|
* HENRY SPENCER BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
|
|
|
|
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
|
|
|
|
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
|
|
|
|
* OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
|
|
|
* WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
|
|
|
|
* OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
|
|
|
|
* ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
*
|
2010-09-20 22:08:53 +02:00
|
|
|
* src/include/regex/regcustom.h
|
2003-02-05 18:41:33 +01:00
|
|
|
*/
|
|
|
|
|
|
|
|
/* headers if any */
|
2017-03-08 23:01:13 +01:00
|
|
|
|
|
|
|
/*
|
|
|
|
* It's against Postgres coding conventions to include postgres.h in a
|
|
|
|
* header file, but we allow the violation here because the regexp library
|
|
|
|
* files specifically intend this file to supply application-dependent
|
|
|
|
* headers, and are careful to include this file before anything else.
|
|
|
|
*/
|
2003-02-05 18:41:33 +01:00
|
|
|
#include "postgres.h"
|
|
|
|
|
|
|
|
#include <ctype.h>
|
|
|
|
#include <limits.h>
|
2009-12-01 22:00:24 +01:00
|
|
|
#include <wctype.h>
|
|
|
|
|
2003-02-05 18:41:33 +01:00
|
|
|
#include "mb/pg_wchar.h"
|
|
|
|
|
2023-04-18 03:23:23 +02:00
|
|
|
#include "miscadmin.h" /* needed by rstacktoodeep */
|
2017-03-08 23:01:13 +01:00
|
|
|
|
2003-02-05 18:41:33 +01:00
|
|
|
|
|
|
|
/* overrides for regguts.h definitions, if any */
|
|
|
|
#define FUNCPTR(name, args) (*name) args
|
2023-04-08 11:52:35 +02:00
|
|
|
#define MALLOC(n) palloc_extended((n), MCXT_ALLOC_NO_OOM)
|
|
|
|
#define FREE(p) pfree(VS(p))
|
|
|
|
#define REALLOC(p,n) repalloc_extended(VS(p),(n), MCXT_ALLOC_NO_OOM)
|
Redesign interrupt/cancel API for regex engine.
Previously, a PostgreSQL-specific callback checked by the regex engine
had a way to trigger a special error code REG_CANCEL if it detected that
the next call to CHECK_FOR_INTERRUPTS() would certainly throw via
ereport().
A later proposed bugfix aims to move some complex logic out of signal
handlers, so that it won't run until the next CHECK_FOR_INTERRUPTS(),
which makes the above design impossible unless we split
CHECK_FOR_INTERRUPTS() into two phases, one to run logic and another to
ereport(). We may develop such a system in the future, but for the
regex code it is no longer necessary.
An earlier commit moved regex memory management over to our
MemoryContext system. Given that the purpose of the two-phase interrupt
checking was to free memory before throwing, something we don't need to
worry about anymore, it seems simpler to inject CHECK_FOR_INTERRUPTS()
directly into cancelation points, and just let it throw.
Since the plan is to keep PostgreSQL-specific concerns separate from the
main regex engine code (with a view to bein able to stay in sync with
other projects), do this with a new macro INTERRUPT(), customizable in
regcustom.h and defaulting to nothing.
Reviewed-by: Tom Lane <tgl@sss.pgh.pa.us>
Discussion: https://postgr.es/m/CA%2BhUKGK3PGKwcKqzoosamn36YW-fsuTdOPPF1i_rtEO%3DnEYKSg%40mail.gmail.com
2023-04-08 11:57:46 +02:00
|
|
|
#define INTERRUPT(re) CHECK_FOR_INTERRUPTS()
|
2007-10-06 18:01:51 +02:00
|
|
|
#define assert(x) Assert(x)
|
2003-02-05 18:41:33 +01:00
|
|
|
|
|
|
|
/* internal character type and related */
|
|
|
|
typedef pg_wchar chr; /* the type itself */
|
|
|
|
typedef unsigned uchr; /* unsigned type that will hold a chr */
|
2003-08-04 02:43:34 +02:00
|
|
|
|
2003-02-05 18:41:33 +01:00
|
|
|
#define CHR(c) ((unsigned char) (c)) /* turn char literal into chr literal */
|
|
|
|
#define DIGITVAL(c) ((c)-'0') /* turn chr digit into its value */
|
|
|
|
#define CHRBITS 32 /* bits in a chr; must not use sizeof */
|
|
|
|
#define CHR_MIN 0x00000000 /* smallest and largest chr; the value */
|
Fix some regex issues with out-of-range characters and large char ranges.
Previously, our regex code defined CHR_MAX as 0xfffffffe, which is a
bad choice because it is outside the range of type "celt" (int32).
Characters approaching that limit could lead to infinite loops in logic
such as "for (c = a; c <= b; c++)" where c is of type celt but the
range bounds are chr. Such loops will work safely only if CHR_MAX+1
is representable in celt, since c must advance to beyond b before the
loop will exit.
Fortunately, there seems no reason not to restrict CHR_MAX to 0x7ffffffe.
It's highly unlikely that Unicode will ever assign codes that high, and
none of our other backend encodings need characters beyond that either.
In addition to modifying the macro, we have to explicitly enforce character
range restrictions on the values of \u, \U, and \x escape sequences, else
the limit is trivially bypassed.
Also, the code for expanding case-independent character ranges in bracket
expressions had a potential integer overflow in its calculation of the
number of characters it could generate, which could lead to allocating too
small a character vector and then overwriting memory. An attacker with the
ability to supply arbitrary regex patterns could easily cause transient DOS
via server crashes, and the possibility for privilege escalation has not
been ruled out.
Quite aside from the integer-overflow problem, the range expansion code was
unnecessarily inefficient in that it always produced a result consisting of
individual characters, abandoning the knowledge that we had a range to
start with. If the input range is large, this requires excessive memory.
Change it so that the original range is reported as-is, and then we add on
any case-equivalent characters that are outside that range. With this
approach, we can bound the number of individual characters allowed without
sacrificing much. This patch allows at most 100000 individual characters,
which I believe to be more than the number of case pairs existing in
Unicode, so that the restriction will never be hit in practice.
It's still possible for range() to take awhile given a large character code
range, so also add statement-cancel detection to its loop. The downstream
function dovec() also lacked cancel detection, and could take a long time
given a large output from range().
Per fuzz testing by Greg Stark. Back-patch to all supported branches.
Security: CVE-2016-0773
2016-02-08 16:25:40 +01:00
|
|
|
#define CHR_MAX 0x7ffffffe /* CHR_MAX-CHR_MIN+1 must fit in an int, and
|
2016-08-19 18:51:02 +02:00
|
|
|
* CHR_MAX+1 must fit in a chr variable */
|
2003-02-05 18:41:33 +01:00
|
|
|
|
2016-02-15 23:11:51 +01:00
|
|
|
/*
|
|
|
|
* Check if a chr value is in range. Ideally we'd just write this as
|
|
|
|
* ((c) >= CHR_MIN && (c) <= CHR_MAX)
|
|
|
|
* However, if chr is unsigned and CHR_MIN is zero, the first part of that
|
|
|
|
* is a no-op, and certain overly-nannyish compilers give warnings about it.
|
|
|
|
* So we leave that out here. If you want to make chr signed and/or CHR_MIN
|
|
|
|
* not zero, redefine this macro as above. Callers should assume that the
|
|
|
|
* macro may multiply evaluate its argument, even though it does not today.
|
|
|
|
*/
|
|
|
|
#define CHR_IS_IN_RANGE(c) ((c) <= CHR_MAX)
|
|
|
|
|
Make locale-dependent regex character classes work for large char codes.
Previously, we failed to recognize Unicode characters above U+7FF as
being members of locale-dependent character classes such as [[:alpha:]].
(Actually, the same problem occurs for large pg_wchar values in any
multibyte encoding, but UTF8 is the only case people have actually
complained about.) It's impractical to get Spencer's original code to
handle character classes or ranges containing many thousands of characters,
because it insists on considering each member character individually at
regex compile time, whether or not the character will ever be of interest
at run time. To fix, choose a cutoff point MAX_SIMPLE_CHR below which
we process characters individually as before, and deal with entire ranges
or classes as single entities above that. We can actually make things
cheaper than before for chars below the cutoff, because the color map can
now be a simple linear array for those chars, rather than the multilevel
tree structure Spencer designed. It's more expensive than before for
chars above the cutoff, because we must do a binary search in a list of
high chars and char ranges used in the regex pattern, plus call iswalpha()
and friends for each locale-dependent character class used in the pattern.
However, multibyte encodings are normally designed to give smaller codes
to popular characters, so that we can expect that the slow path will be
taken relatively infrequently. In any case, the speed penalty appears
minor except when we have to apply iswalpha() etc. to high character codes
at runtime --- and the previous coding gave wrong answers for those cases,
so whether it was faster is moot.
Tom Lane, reviewed by Heikki Linnakangas
Discussion: <15563.1471913698@sss.pgh.pa.us>
2016-09-05 23:06:29 +02:00
|
|
|
/*
|
|
|
|
* MAX_SIMPLE_CHR is the cutoff between "simple" and "complicated" processing
|
|
|
|
* in the color map logic. It should usually be chosen high enough to ensure
|
|
|
|
* that all common characters are <= MAX_SIMPLE_CHR. However, very large
|
|
|
|
* values will be counterproductive since they cause more regex setup time.
|
|
|
|
* Also, small values can be helpful for testing the high-color-map logic
|
|
|
|
* with plain old ASCII input.
|
|
|
|
*/
|
|
|
|
#define MAX_SIMPLE_CHR 0x7FF /* suitable value for Unicode */
|
|
|
|
|
2003-02-05 18:41:33 +01:00
|
|
|
/* functions operating on chr */
|
2004-05-07 02:24:59 +02:00
|
|
|
#define iscalnum(x) pg_wc_isalnum(x)
|
|
|
|
#define iscalpha(x) pg_wc_isalpha(x)
|
|
|
|
#define iscdigit(x) pg_wc_isdigit(x)
|
|
|
|
#define iscspace(x) pg_wc_isspace(x)
|
2003-02-05 18:41:33 +01:00
|
|
|
|
|
|
|
/* and pick up the standard header */
|
|
|
|
#include "regex.h"
|