diff options
Diffstat (limited to 'src/test')
| -rw-r--r-- | src/test/regress/expected/regex.out | 56 | ||||
| -rw-r--r-- | src/test/regress/sql/regex.sql | 13 |
2 files changed, 69 insertions, 0 deletions
diff --git a/src/test/regress/expected/regex.out b/src/test/regress/expected/regex.out index 69a2ed00e4b..ef1ead5babb 100644 --- a/src/test/regress/expected/regex.out +++ b/src/test/regress/expected/regex.out @@ -160,6 +160,62 @@ select 'a' ~ '($|^)*'; t (1 row) +-- These cases expose a bug in the original fix for CVE-2007-4772 +select 'a' ~ '(^)+^'; + ?column? +---------- + t +(1 row) + +select 'a' ~ '$($$)+'; + ?column? +---------- + t +(1 row) + +-- More cases of infinite loop in pullback(), not fixed by CVE-2007-4772 fix +select 'a' ~ '($^)+'; + ?column? +---------- + f +(1 row) + +select 'a' ~ '(^$)*'; + ?column? +---------- + t +(1 row) + +select 'aa bb cc' ~ '(^(?!aa))+'; + ?column? +---------- + f +(1 row) + +select 'aa x' ~ '(^(?!aa)(?!bb)(?!cc))+'; + ?column? +---------- + f +(1 row) + +select 'bb x' ~ '(^(?!aa)(?!bb)(?!cc))+'; + ?column? +---------- + f +(1 row) + +select 'cc x' ~ '(^(?!aa)(?!bb)(?!cc))+'; + ?column? +---------- + f +(1 row) + +select 'dd x' ~ '(^(?!aa)(?!bb)(?!cc))+'; + ?column? +---------- + t +(1 row) + -- Test for infinite loop in fixempties() (Tcl bugs 3604074, 3606683) select 'a' ~ '((((((a)*)*)*)*)*)*'; ?column? diff --git a/src/test/regress/sql/regex.sql b/src/test/regress/sql/regex.sql index 0a07eaf8a65..56207e04b23 100644 --- a/src/test/regress/sql/regex.sql +++ b/src/test/regress/sql/regex.sql @@ -38,6 +38,19 @@ explain (costs off) select * from pg_proc where proname ~ '^(abc)?d'; -- Test for infinite loop in pullback() (CVE-2007-4772) select 'a' ~ '($|^)*'; +-- These cases expose a bug in the original fix for CVE-2007-4772 +select 'a' ~ '(^)+^'; +select 'a' ~ '$($$)+'; + +-- More cases of infinite loop in pullback(), not fixed by CVE-2007-4772 fix +select 'a' ~ '($^)+'; +select 'a' ~ '(^$)*'; +select 'aa bb cc' ~ '(^(?!aa))+'; +select 'aa x' ~ '(^(?!aa)(?!bb)(?!cc))+'; +select 'bb x' ~ '(^(?!aa)(?!bb)(?!cc))+'; +select 'cc x' ~ '(^(?!aa)(?!bb)(?!cc))+'; +select 'dd x' ~ '(^(?!aa)(?!bb)(?!cc))+'; + -- Test for infinite loop in fixempties() (Tcl bugs 3604074, 3606683) select 'a' ~ '((((((a)*)*)*)*)*)*'; select 'a' ~ '((((((a+|)+|)+|)+|)+|)+|)'; |