https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61601
--- Comment #13 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Maksymilian Arciemowicz from comment #8)
> > there's no memory problem, it just takes exponentially long time to run
> > (which is expected when using backtracking).
>
> call it cpu resource exhaustion (CWE-400)
That's not a libstdc++ bug. If you write a ridiculously complex regex, it will
execute very slowly.
If your application uses such a regex, or allows untrusted user input to be
passed straight to a std::regex constructor, that is a weakness in your
application, not in std::regex.
> > To avoid it, you can use Thompson NFA:
> >
> > #define _GLIBCXX_REGEX_USE_THOMPSON_NFA
> > #include <regex>
> >
> > int main (int argc, char *argv[])
> > {
> > std::regex_match("findme", std::regex("(.*{100}{200}findme)",
> > std::regex_constants::extended));
> >
> > return 0;
> >
> > }
> >
> > Notice that for now Thompson NFA doesn't support ECMAScript.
>
> yeap.
>
> try (.*{300}{100}) for _GLIBCXX_REGEX_USE_THOMPSON_NFA. occurs stack
> exhaustion like in #61582
I can't reproduce any resource exhaustion, it just runs for a very long time.
I'm going to close this. For the two examples in comment 0 an exception is
thrown when compiling the regex, as expected.
The first case throws error_space because there are too many states.
The second one is rejected because {2444444444} is too large. It throws
error_backref but maybe that should be error_space as well.
