[njs] Fixed RegExp compilation after 17124c81.

Thu, 03 Jul 2025 19:07:18 -0700 

details:   
https://github.com/nginx/njs/commit/ecc237b079a699537351ddc3dd1ade2f96918451
branches:  master
commit:    ecc237b079a699537351ddc3dd1ade2f96918451
user:      Dmitry Volyntsev <xei...@nginx.com>
date:      Thu, 3 Jul 2025 16:53:33 -0700
description:
Fixed RegExp compilation after 17124c81.

Previously, heap-buffer-overflow happened due to incorrect copying of
[...] regexp parts.

Found by OSS-Fuzz.

---
 external/njs_regex.c     |  9 ++++++++-
 src/test/njs_unit_test.c | 16 ++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/external/njs_regex.c b/external/njs_regex.c
index a0decefd..cd45afc0 100644
--- a/external/njs_regex.c
+++ b/external/njs_regex.c
@@ -177,11 +177,16 @@ njs_regex_escape(njs_mp_t *mp, njs_str_t *text)
                 continue;
 
             } else {
-                *dst++ = *p;
+                *dst++ = *p++; /* Copy '['. */
+
                 while (p < end && *p != ']') {
                     *dst++ = *p++;
                 }
 
+                if (p < end) {
+                    *dst++ = *p; /* Copy ']'. */
+                }
+
                 continue;
             }
         }
@@ -189,6 +194,8 @@ njs_regex_escape(njs_mp_t *mp, njs_str_t *text)
         *dst++ = *p;
     }
 
+    njs_assert(dst == text->start + text->length);
+
     return NJS_OK;
 
 #else
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index 33472f24..541e3327 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -9556,6 +9556,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("/["),
       njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
 
+    { njs_str("/[][a"),
+      njs_str("SyntaxError: Unterminated RegExp \"/[][a\" in 1") },
+
     { njs_str("/[\\"),
       njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
 
@@ -9591,11 +9594,24 @@ static njs_unit_test_t  njs_test[] =
       njs_str("/\\]cd/") },
 #endif
 
+    { njs_str("RegExp('[][a')"),
+      njs_str("SyntaxError: "
+              njs_pcre_var("pcre_compile2(\"(?!)[a\") failed: missing 
terminating ] for character class at \"\"",
+                           "pcre_compile(\"[][a\") failed: missing terminating 
] for character class")) },
+
+    { njs_str("RegExp('[][a][a')"),
+      njs_str("SyntaxError: "
+              njs_pcre_var("pcre_compile2(\"(?!)[a][a\") failed: missing 
terminating ] for character class at \"\"",
+                           "pcre_compile(\"[][a][a\") failed: missing 
terminating ] for character class")) },
+
     { njs_str("RegExp('[\\\\')"),
       njs_str("SyntaxError: "
               njs_pcre_var("pcre_compile2(\"[\\\") failed: \\ at end of 
pattern at \"\"",
                            "pcre_compile(\"[\\\") failed: \\ at end of 
pattern")) },
 
+    { njs_str("RegExp('[][a]')"),
+      njs_str(njs_pcre_var("/(?!)[a]/", "/[][a]/")) },
+
     { njs_str("RegExp('\\\\0').source[1]"),
       njs_str("0") },
 
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to