From b972b736dbc13120ae63cd6a8f94232e492dca8d Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 2 Apr 2026 16:58:05 -0600
Subject: [PATCH] Prevent integer overflow in regex repetition count

Limit the repetition count to 255 like POSIX does.  Also avoid a
crash when the repetition is the first atom parsed.

From Renaud Allard.
---
 b.c                                | 6 ++++++
 bugs-fixed/repetition-no-atom.awk  | 1 +
 bugs-fixed/repetition-no-atom.ok   | 4 ++++
 bugs-fixed/repetition-overflow.awk | 1 +
 bugs-fixed/repetition-overflow.ok  | 4 ++++
 5 files changed, 16 insertions(+)
 create mode 100644 bugs-fixed/repetition-no-atom.awk
 create mode 100644 bugs-fixed/repetition-no-atom.ok
 create mode 100644 bugs-fixed/repetition-overflow.awk
 create mode 100644 bugs-fixed/repetition-overflow.ok

diff --git a/b.c b/b.c
index 455e6f8..ace133e 100644
--- a/b.c
+++ b/b.c
@@ -1212,6 +1212,9 @@ replace_repeat(const uschar *reptok, int reptoklen, const uschar *atom,
 static int repeat(const uschar *reptok, int reptoklen, const uschar *atom,
 		  int atomlen, int firstnum, int secondnum)
 {
+	if (atom == NULL)
+		return 0;
+
 	/*
 	   In general, the repetition specifier or "bound" is replaced here
 	   by an equivalent ERE string, repeating the immediately previous atom
@@ -1459,6 +1462,9 @@ int relex(void)		/* lexical analyzer for reparse */
 					lastre);
 			} else if (isdigit(c)) {
 				num = 10 * num + c - '0';
+				if (num > 255)
+					FATAL("repetition count %.20s too large",
+						lastre);
 				digitfound = true;
 			} else if (c == ',') {
 				if (commafound)
diff --git a/bugs-fixed/repetition-no-atom.awk b/bugs-fixed/repetition-no-atom.awk
new file mode 100644
index 0000000..83d5c9e
--- /dev/null
+++ b/bugs-fixed/repetition-no-atom.awk
@@ -0,0 +1 @@
+/{00}/
diff --git a/bugs-fixed/repetition-no-atom.ok b/bugs-fixed/repetition-no-atom.ok
new file mode 100644
index 0000000..aee8fb5
--- /dev/null
+++ b/bugs-fixed/repetition-no-atom.ok
@@ -0,0 +1,4 @@
+awk: illegal primary in regular expression {00} at 
+ source line number 1 source file /usr/src/local/Languages/Awk/awk/bugs-fixed/repetition-no-atom.awk
+ context is
+	 >>> /{00}/ <<< 
diff --git a/bugs-fixed/repetition-overflow.awk b/bugs-fixed/repetition-overflow.awk
new file mode 100644
index 0000000..48e2030
--- /dev/null
+++ b/bugs-fixed/repetition-overflow.awk
@@ -0,0 +1 @@
+/a{256}/
diff --git a/bugs-fixed/repetition-overflow.ok b/bugs-fixed/repetition-overflow.ok
new file mode 100644
index 0000000..71f8577
--- /dev/null
+++ b/bugs-fixed/repetition-overflow.ok
@@ -0,0 +1,4 @@
+awk: repetition count a{256} too large
+ source line number 1 source file /home/millert/a
+ context is
+	 >>> /a{256}/ <<<