Thanks Kostya for the fuzzing work! Reduce it to a reasonably small number (but not too small), so that libFuzzer doesn't find as many crashers (none in a short period of time, actually) with a 8MB stack on a 64-bit machine.
Thanks! -- Regards, Tim Shen
commit 4021ce78ed48215e7b765e8879ca65612933ee62 Author: Tim Shen <tims...@google.com> Date: Fri Feb 10 17:34:45 2017 -0800 2017-02-10 Tim Shen <tims...@google.com> * include/bits/regex_automaton.h: Reduce _GLIBCXX_REGEX_STATE_LIMIT to 16384, that removes most stack overflow cases detected by libFuzzer with a 8MB stack. * testsuite/28_regex/regression.cc: Add a test. diff --git a/libstdc++-v3/include/bits/regex_automaton.h b/libstdc++-v3/include/bits/regex_automaton.h index a5fab6356cc..20fd02cea8f 100644 --- a/libstdc++-v3/include/bits/regex_automaton.h +++ b/libstdc++-v3/include/bits/regex_automaton.h @@ -30,7 +30,7 @@ // This macro defines the maximal state number a NFA can have. #ifndef _GLIBCXX_REGEX_STATE_LIMIT -#define _GLIBCXX_REGEX_STATE_LIMIT 100000 +#define _GLIBCXX_REGEX_STATE_LIMIT 16384 #endif namespace std _GLIBCXX_VISIBILITY(default) diff --git a/libstdc++-v3/testsuite/28_regex/regression.cc b/libstdc++-v3/testsuite/28_regex/regression.cc index b73b7641710..d3ffac81c77 100644 --- a/libstdc++-v3/testsuite/28_regex/regression.cc +++ b/libstdc++-v3/testsuite/28_regex/regression.cc @@ -110,6 +110,23 @@ test07() VERIFY(thrown); } +// Too many states. +void +test08() +{ + bool thrown = false; + try + { + std::regex re(".*{100}{300}"); + } + catch (const std::regex_error &e) + { + if (e.code() == regex_constants::error_space) + thrown = true; + } + VERIFY(thrown); +} + int main() { @@ -120,6 +137,7 @@ main() test05(); test06(); test07(); + test08(); return 0; }