DoS risk: panic "index out of bounds" while building very small regex

[PaulGrandperrin]

Hi,

regex::Regex::new("a{\r\n");

will cause

thread 'main' panicked at 'index out of bounds: the len is 1 but the index is 1'

playground

I found it while porting https://github.com/rust-fuzz/targets to afl.rs and honggfuzz (it's currently only using libFuzzer).
It's funny because libFuzzer seems unable to find it while honggfuzz finds it reliably in just a couple of seconds and AFL in a couple of dozen of minutes.

Regexes sometimes are built from untrusted input so I guess it could be used for denial of service.

@robertswiecki : I found it with honggfuzz first, is that trophy worthy?

[BurntSushi]

I was stumped for a moment because I couldn't reproduce it with the following program:

extern crate regex;

use regex::Regex;

fn main() {
    let re = Regex::new(r"a{\r\n");
    println!("{:?}", re);
}

Running gives a syntax error, not a panic, as expected:

$ ./target/debug/regex-464
Err(Syntax(
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
regex parse error:
    a{\r\n
      ^
error: decimal literal empty
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
))

But it seems the issue here is that I used a raw string. If I use "a{\r\n" as in your example, then I can indeed reproduce this problem. The panic is actually coming from the error formatter, not the parser, which is interesting!

However you found this, it's definitely a legitimate bug, and I would consider it trophy worthy. :-)

[BurntSushi]

A fix should now be on crates.io in regex-syntax 0.5.5.

[PaulGrandperrin]

Awesome, thanks @BurntSushi !

[robertswiecki]

@PaulGrandperrin nice!! here's the trophy update - google/honggfuzz@ef1aa31#diff-04c6e90faac2675aa89e2176d2eec7d8