From: drh <>
Date: Fri, 26 Sep 2025 13:14:20 +0000 (+0000)
Subject: In the regexp extension, limit the maximum value of integers in the
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80d74f09347372105731952acd47d79fd072a5d1;p=thirdparty%2Fsqlite.git

In the regexp extension, limit the maximum value of integers in the
"{p,q}" syntax, as performance of the NFA used to do pattern matching
is linear in the maximum such integer.  The limit is SQLITE_MAX_REGEXP_REPEAT
which defaults to 999.  This helps to prevent DoS attacks in systems that
make use of the regexp extension.

FossilOrigin-Name: 911c745f88c0ee8569e67bbcbbab034264f8c981b505aadac3ce7289486a1a68
---

diff --git a/ext/misc/regexp.c b/ext/misc/regexp.c
index 447e403f80..cea94df144 100644
--- a/ext/misc/regexp.c
+++ b/ext/misc/regexp.c
@@ -26,7 +26,7 @@
 **     X*      zero or more occurrences of X
 **     X+      one or more occurrences of X
 **     X?      zero or one occurrences of X
-**     X{p,q}  between p and q occurrences of X
+**     X{p,q}  between p and q occurrences of X,   0 <= p,q <= 999
 **     (X)     match X
 **     X|Y     X or Y
 **     ^X      X occurring at the beginning of the string
@@ -55,12 +55,19 @@
 ** to p copies of X following by q-p copies of X? and that the size of the
 ** regular expression in the O(N*M) performance bound is computed after
 ** this expansion.
+**
+** To help prevent DoS attacks, the values of p and q in the "{p,q}" syntax
+** are limited to SQLITE_MAX_REGEXP_REPEAT, default 999.
 */
 #include <string.h>
 #include <stdlib.h>
 #include "sqlite3ext.h"
 SQLITE_EXTENSION_INIT1
 
+#ifndef SQLITE_MAX_REGEXP_REPEAT
+# define SQLITE_MAX_REGEXP_REPEAT 999
+#endif
+
 /*
 ** The following #defines change the names of some functions implemented in
 ** this file to prevent name collisions with C-library functions of the
@@ -566,12 +573,20 @@ static const char *re_subcompile_string(ReCompiled *p){
         unsigned int m = 0, n = 0;
         unsigned int sz, j;
         if( iPrev<0 ) return "'{m,n}' without operand";
-        while( (c=rePeek(p))>='0' && c<='9' ){ m = m*10 + c - '0'; p->sIn.i++; }
+        while( (c=rePeek(p))>='0' && c<='9' ){
+          m = m*10 + c - '0';
+          if( m>SQLITE_MAX_REGEXP_REPEAT ) return "integer too large";
+          p->sIn.i++;
+        }
         n = m;
         if( c==',' ){
           p->sIn.i++;
           n = 0;
-          while( (c=rePeek(p))>='0' && c<='9' ){ n = n*10 + c-'0'; p->sIn.i++; }
+          while( (c=rePeek(p))>='0' && c<='9' ){
+            n = n*10 + c-'0';
+            if( n>SQLITE_MAX_REGEXP_REPEAT ) return "integer too large";
+            p->sIn.i++;
+          }
         }
         if( c!='}' ) return "unmatched '{'";
         if( n<m ) return "n less than m in '{m,n}'";
diff --git a/manifest b/manifest
index d49423a3fd..436da6ac63 100644
--- a/manifest
+++ b/manifest
@@ -1,5 +1,5 @@
-C Get\swasmfs\sbuild\sworking\sin\sthe\snew\ssetup.\sDisable\sthe\scustom\swasm\sloader\sbecause\sits\sgenerated\smakefile\scode\sis\scurrently\sbroken.
-D 2025-09-26T12:49:41.370
+C In\sthe\sregexp\sextension,\slimit\sthe\smaximum\svalue\sof\sintegers\sin\sthe\n"{p,q}"\ssyntax,\sas\sperformance\sof\sthe\sNFA\sused\sto\sdo\spattern\smatching\nis\slinear\sin\sthe\smaximum\ssuch\sinteger.\s\sThe\slimit\sis\sSQLITE_MAX_REGEXP_REPEAT\nwhich\sdefaults\sto\s999.\s\sThis\shelps\sto\sprevent\sDoS\sattacks\sin\ssystems\sthat\nmake\suse\sof\sthe\sregexp\sextension.
+D 2025-09-26T13:14:20.156
 F .fossil-settings/binary-glob 61195414528fb3ea9693577e1980230d78a1f8b0a54c78cf1b9b24d0a409ed6a x
 F .fossil-settings/empty-dirs dbb81e8fc0401ac46a1491ab34a7f2c7c0452f2f06b54ebb845d024ca8283ef1
 F .fossil-settings/ignore-glob 35175cdfcf539b2318cb04a9901442804be81cd677d8b889fcc9149c21f239ea
@@ -389,7 +389,7 @@ F ext/misc/percentile.c 72e05a21db20a2fa85264b99515941f00ae698824c9db82d7edfbb16
 F ext/misc/prefixes.c 82645f79229877afab08c8b08ca1e7fa31921280906b90a61c294e4f540cd2a6
 F ext/misc/qpvtab.c fc189e127f68f791af90a487f4460ec91539a716daf45a0c357e963fd47cc06c
 F ext/misc/randomjson.c ef835fc64289e76ac4873b85fe12f9463a036168d7683cf2b773e36e6262c4ed
-F ext/misc/regexp.c fb3647ab48bf9e49dd4401e5168b6c13868018b4867ba95d5b84ef18851ee3da
+F ext/misc/regexp.c 8a762ed5d34a26f85fcaff687a405c38e85c541f5f489c964d99b5bc95aedbe1
 F ext/misc/remember.c add730f0f7e7436cd15ea3fd6a90fd83c3f706ab44169f7f048438b7d6baa69c
 F ext/misc/rot13.c 51ac5f51e9d5fd811db58a9c23c628ad5f333c173f1fc53c8491a3603d38556c
 F ext/misc/scrub.c 2a44b0d44c69584c0580ad2553f6290a307a49df4668941d2812135bfb96a946
@@ -1520,7 +1520,7 @@ F test/rdonly.test 64e2696c322e3538df0b1ed624e21f9a23ed9ff8
 F test/readonly.test 0d307c335b3421898cfe64a783a376138aa003849b6bff61ee2d21e805bc0051
 F test/recover.test c76d05f33f0271fba0f0752170e03b0ab5952dc61dcea7ab3ba40df03c4c42de
 F test/regexp1.test 8f2a8bc1569666e29a4cee6c1a666cd224eb6d50e2470d1dc1df995170f3e0f1
-F test/regexp2.test 55ed41da802b0e284ac7e2fe944be3948f93ff25abbca0361a609acfed1368b5
+F test/regexp2.test 02ebe3cf5a06c5fcc40387d906875bafa1cdbe8d3289170a05e34bbb57dc2884
 F test/reindex.test cd9d6021729910ece82267b4f5e1b5ac2911a7566c43b43c176a6a4732e2118d
 F test/reservebytes.test 6163640b5a5120c0dee6591481e673a0fa0bf0d12d4da7513bad692c1a49a162
 F test/resetdb.test 54c06f18bc832ac6d6319e5ab23d5c8dd49fdbeec7c696d791682a8006bd5fc3
@@ -2169,8 +2169,8 @@ F tool/version-info.c 3b36468a90faf1bbd59c65fd0eb66522d9f941eedd364fabccd7227350
 F tool/warnings-clang.sh bbf6a1e685e534c92ec2bfba5b1745f34fb6f0bc2a362850723a9ee87c1b31a7
 F tool/warnings.sh 1ad0169b022b280bcaaf94a7fa231591be96b514230ab5c98fbf15cd7df842dd
 F tool/win/sqlite.vsix deb315d026cc8400325c5863eef847784a219a2f
-P 8f17e1d869685b51f3368feed03dc06543ec16bc8fd81b8daad2ac2dbf99c5d6
-R 5e672d86934b8320ca0a7d5b18bc23c5
-U stephan
-Z 1a1ba5bad861e833b8982957ff27b00f
+P 36bc2514f70af5608aa20903d9c38b316603e2f78f2cbf4a20c7c79b60c5b8d5
+R 8d76d36b83ffa10f8973f107bc375552
+U drh
+Z 3a7db3386aaa43ed8b2a45f636c561b9
 # Remove this line to create a well-formed Fossil manifest.
diff --git a/manifest.uuid b/manifest.uuid
index d27b9a429f..7e1b86a63e 100644
--- a/manifest.uuid
+++ b/manifest.uuid
@@ -1 +1 @@
-36bc2514f70af5608aa20903d9c38b316603e2f78f2cbf4a20c7c79b60c5b8d5
+911c745f88c0ee8569e67bbcbbab034264f8c981b505aadac3ce7289486a1a68
diff --git a/test/regexp2.test b/test/regexp2.test
index 3e1da9f230..f2643c4a5c 100644
--- a/test/regexp2.test
+++ b/test/regexp2.test
@@ -141,4 +141,19 @@ do_execsql_test 4.16 {SELECT '   ' REGEXP '[^a-z]{2}'} {1}
 do_execsql_test 4.17 {SELECT 'abc' REGEXP '\W{1,1}'} {0}
 do_execsql_test 4.18 {SELECT 'abc' REGEXP '\W{1}'} {0}
 
+do_execsql_test 5.0 {
+  SELECT 'abc' REGEXP 'a{1,999}bc';
+} 1
+do_catchsql_test 5.1 {
+  SELECT 'abc' REGEXP 'a{1,1000}bc';
+} {1 {integer too large}}
+do_execsql_test 5.2 {
+  SELECT 'abc' REGEXP 'a{999}bc';
+} 0
+do_catchsql_test 5.3 {
+  SELECT 'abc' REGEXP 'a{1000}bc';
+} {1 {integer too large}}
+
+
+
 finish_test