Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / fa4681691591429466d18e21d7640e3703ab7f28^! / . / Modules
commitfa4681691591429466d18e21d7640e3703ab7f28[log] [tgz]
authorSerhiy Storchaka <storchaka@gmail.com>Sat Feb 16 21:23:53 2013 +0200
committerSerhiy Storchaka <storchaka@gmail.com>Sat Feb 16 21:23:53 2013 +0200
tree91ef35df8dbbfcf6cab1a0ce75e4495dcdf2f826
parent70ca0210e8958d2665541ddd38fce2965075674e [diff]
Issue #9669: Protect re against infinite loops on zero-width matching in
non-greedy repeat.  Patch by Matthew Barnett.

diff --git a/Modules/_sre.c b/Modules/_sre.c
index 4421eae..e76144d 100644
--- a/Modules/_sre.c
+++ b/Modules/_sre.c

@@ -1295,13 +1295,18 @@
 
             LASTMARK_RESTORE();
 
-            if (ctx->count >= ctx->u.rep->pattern[2]
-                && ctx->u.rep->pattern[2] != SRE_MAXREPEAT)
+            if ((ctx->count >= ctx->u.rep->pattern[2]
+                && ctx->u.rep->pattern[2] != SRE_MAXREPEAT) ||
+                state->ptr == ctx->u.rep->last_ptr)
                 RETURN_FAILURE;
 
             ctx->u.rep->count = ctx->count;
+            /* zero-width match protection */
+            DATA_PUSH(&ctx->u.rep->last_ptr);
+            ctx->u.rep->last_ptr = state->ptr;
             DO_JUMP(JUMP_MIN_UNTIL_3,jump_min_until_3,
                     ctx->u.rep->pattern+3);
+            DATA_POP(&ctx->u.rep->last_ptr);
             if (ret) {
                 RETURN_ON_ERROR(ret);
                 RETURN_SUCCESS;