Il 21/11/19 13:13, Robert Loehning ha scritto:
>> ** [https://doc.qt.io/qt-5/qregularexpression.html QRegularExpression]
Giuseppe D'Angelo (22 November 2019 18:17) replied:
> This should mostly be fuzzing libpcre itself...
... which Google is probably already doing.
> Note that users should NEVER use / accept untrusted regular expressions.
> While we shouldn't crash or exhaust memory, PCREs will happily exhibit
> exponential backtracking behaviour, thus exposing applications to DOS
> attacks. There's nothing we can do about that.
... and filtering out the halting problem isn't even amenable to any
dumb heuristics (like the for/while/... crippling of the JS evaluator
fuzzer).
Probably best to concentrate our efforts elsewhere ...
Eddy.
_______________________________________________
Development mailing list
[email protected]
https://lists.qt-project.org/listinfo/development
