Am 22.11.2019 um 19:11 schrieb Edward Welbourne: > Il 21/11/19 13:13, Robert Loehning ha scritto: >>> ** [https://doc.qt.io/qt-5/qregularexpression.html QRegularExpression] > > Giuseppe D'Angelo (22 November 2019 18:17) replied: >> This should mostly be fuzzing libpcre itself... > > ... which Google is probably already doing.
At least it seems to be on oss-fuzz as well: https://github.com/google/oss-fuzz/tree/master/projects/pcre2 >> Note that users should NEVER use / accept untrusted regular expressions. >> While we shouldn't crash or exhaust memory, PCREs will happily exhibit >> exponential backtracking behaviour, thus exposing applications to DOS >> attacks. There's nothing we can do about that. > > ... and filtering out the halting problem isn't even amenable to any > dumb heuristics (like the for/while/... crippling of the JS evaluator > fuzzer). > > Probably best to concentrate our efforts elsewhere ... > > Eddy. > _______________________________________________ > Development mailing list > [email protected] > https://lists.qt-project.org/listinfo/development > _______________________________________________ Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
