Skip to content

Set a hard limit on regular expression length #128

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
laurikari merged 3 commits into from
Dec 20, 2025
Merged

Set a hard limit on regular expression length #128

laurikari merged 3 commits into from
Dec 20, 2025

Conversation

@dag-erling
Copy link
Collaborator

@dag-erling dag-erling commented Dec 19, 2025

The effective limit on regular expression length today is slightly less than half the stack size, which is hardcoded to 10,240 entries. Due to a lack of input validation and persistent use of signed types, values much larger than that will cause TRE to overflow and either crash or misbehave instead of returning REG_ESPACE.

This pull request increases the maximum stack size and sets a hard limit on regular expression length so we always return REG_ESPACE long before we overflow.

Note that this does not address matching, where TRE will misbehave if given a string longer than INT_MAX. Fixing that will require significantly more work than fixing compilation did.

@dag-erling
stack: Switch to exponential growth
1e8683a 
* Grow the stack exponentially instead of linearly.

* Use size_t instead of int for sizes.

* Rename stack_num_objects() to stack_num_items() to reduce confusion
  between stack objects and objects on the stack.
@dag-erling
regcomp: Use size_t for sizes
6859a2e
@dag-erling dag-erling requested a review from laurikari December 19, 2025 20:50
@dag-erling dag-erling self-assigned this Dec 19, 2025
@dag-erling dag-erling added the bug label Dec 19, 2025
@laurikari
Copy link
Owner

laurikari commented Dec 20, 2025
edited
Loading

This is a nice improvement!

Looks like tre_regwncomp doesn't enforce TRE_MAX_RE. I would add the same check there.

Also, tre_regcomp and tre_regwcomp now call strlen (or wcslen) unconditionally. Previously, NULL was treated as length 0. Now I'm not sure if anyone relies on this, but it is a change in behavior... I would keep the old guard (pun intended).

@dag-erling
Set a hard limit on regular expression length
35f6307 
The effective limit on regular expression length today is slightly less
than half the stack size, which is hardcoded to 10,240 entries.  Due to
a lack of input validation and persistent use of signed types, values
much larger than that will cause TRE to overflow and either crash or
misbehave instead of returning REG_ESPACE.

* Define TRE_MAX_STACK to 1048576 and use that as our stack size
  limit.

* Define TRE_MAX_RE to 65536 and refuse to compile a regular expression
  longer than that (in characters, not bytes).

* Adjust the tests to handle the increased limit.

* Since we make an effort to not crash when asked to compile a null
  regular expression, add tests to verify that we don't.
@dag-erling
Copy link
Collaborator Author

dag-erling commented Dec 20, 2025

Fixed

@laurikari laurikari merged commit 7df6b4f into laurikari:master Dec 20, 2025
3 checks passed
@dag-erling dag-erling mentioned this pull request Dec 22, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurikari laurikari Awaiting requested review from laurikari

Assignees

@dag-erling dag-erling

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dag-erling @laurikari