From ee400ea880dc46bb02c4be2564b183c114d4cd42 Mon Sep 17 00:00:00 2001
From: Dmitry Volyntsev <xeioex@nginx.com>
Date: Mon, 26 Aug 2019 19:00:13 +0300
Subject: [PATCH] Fixed heap-buffer-overflow while parsing regexp literals.

This closes #174 issue on Github.
---
 src/njs_regexp.c         | 14 +++++++++++---
 src/test/njs_unit_test.c | 12 ++++++++++++
 2 files changed, 23 insertions(+), 3 deletions(-)

diff --git a/src/njs_regexp.c b/src/njs_regexp.c
index c488ce09..038cbfef 100644
--- a/src/njs_regexp.c
+++ b/src/njs_regexp.c
@@ -333,14 +333,22 @@ njs_regexp_literal(njs_vm_t *vm, njs_parser_t *parser, njs_value_t *value)
             goto failed;
 
         case '[':
-            while (++p < lexer->end && *p != ']') {
+            while (1) {
+                if (++p >= lexer->end) {
+                    goto failed;
+                }
+
+                if (*p == ']') {
+                    break;
+                }
+
                 switch (*p) {
                 case '\n':
                 case '\r':
                     goto failed;
 
                 case '\\':
-                    if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+                    if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                         goto failed;
                     }
 
@@ -351,7 +359,7 @@ njs_regexp_literal(njs_vm_t *vm, njs_parser_t *parser, njs_value_t *value)
             break;
 
         case '\\':
-            if (++p < lexer->end && (*p == '\n' || *p == '\r')) {
+            if (++p >= lexer->end || *p == '\n' || *p == '\r') {
                 goto failed;
             }
 
diff --git a/src/test/njs_unit_test.c b/src/test/njs_unit_test.c
index d9209350..f61eb3f3 100644
--- a/src/test/njs_unit_test.c
+++ b/src/test/njs_unit_test.c
@@ -5877,9 +5877,18 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("/]/"),
       njs_str("/\\]/") },
 
+    { njs_str("/["),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\" in 1") },
+
+    { njs_str("/[\\"),
+      njs_str("SyntaxError: Unterminated RegExp \"/[\\\" in 1") },
+
     { njs_str("RegExp(']')"),
       njs_str("/\\]/") },
 
+    { njs_str("RegExp('[\\\\')"),
+      njs_str("SyntaxError: pcre_compile(\"[\\\") failed: \\ at end of pattern") },
+
     { njs_str("RegExp('[\\\\\\\\]]')"),
       njs_str("/[\\\\]\\]/") },
 
@@ -7859,6 +7868,9 @@ static njs_unit_test_t  njs_test[] =
     { njs_str("new RegExp('[')"),
       njs_str("SyntaxError: pcre_compile(\"[\") failed: missing terminating ] for character class") },
 
+    { njs_str("new RegExp('['.repeat(16))"),
+      njs_str("SyntaxError: pcre_compile(\"[[[[[[[[[[[[[[[[\") failed: missing terminating ] for character class") },
+
     { njs_str("new RegExp('\\\\')"),
       njs_str("SyntaxError: pcre_compile(\"\\\") failed: \\ at end of pattern") },
 
-- 
2.47.3