From 39d8b45d0f485376f77fdde316210d7d3fd0e587 Mon Sep 17 00:00:00 2001
From: Andrew Gallant <jamslam@gmail.com>
Date: Mon, 9 Oct 2023 13:50:42 -0400
Subject: [PATCH] automata: fix invalid accelerators

It's possible for DFA deserialization to result in an otherwise valid
DFA, but one that records accelerated DFA states without any actual
accelerator. We remedy that by checking for it at deserialization time.

Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=60739
Fixes https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=61255

fixup
---
 ...ata_deserialize_dense_dfa-5883983265923072 | Bin 0 -> 2734 bytes
 ...ata_deserialize_dense_dfa-6363062083649536 | Bin 0 -> 2735 bytes
 regex-automata/src/dfa/dense.rs               |  18 ++++++++++++++++++
 3 files changed, 18 insertions(+)
 create mode 100644 fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-5883983265923072
 create mode 100644 fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-6363062083649536

diff --git a/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-5883983265923072 b/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-5883983265923072
new file mode 100644
index 0000000000000000000000000000000000000000..233fcbc950a61bc614dc0e0a7418724fa0c36c56
GIT binary patch
literal 2734
zcmZQ%VEF(4KNFB(WMp6fqESE~1R4m)<B~1`N<6|PIVwIH0;3@?8UmvsFd70h3V}B?
zGI!Ki8ifF`F~&+YqnQYrgrNdxKN}8RVmQR{30tEzE<yHL0mX!Xv<W_q5IHUo1pr9f
B2($nI

literal 0
HcmV?d00001

diff --git a/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-6363062083649536 b/fuzz/regressions/clusterfuzz-testcase-minimized-fuzz_regex_automata_deserialize_dense_dfa-6363062083649536
new file mode 100644
index 0000000000000000000000000000000000000000..d4a35d1d10e221c0acff68cfca53eba4ddd84aa2
GIT binary patch
literal 2735
zcmZQ#U|{$U1VDn3k%0k-Mm(qjhJeE$4+R4}?i=iG$K!OmO5qDbx;kXkve6J24S~@R
o7!85Z5E#G^U_!SW*cfC(7o&i0jn=pXanZ%ljR!SNfdDQH0K!oY)c^nh

literal 0
HcmV?d00001

diff --git a/regex-automata/src/dfa/dense.rs b/regex-automata/src/dfa/dense.rs
index 902f4b273..fd96bc878 100644
--- a/regex-automata/src/dfa/dense.rs
+++ b/regex-automata/src/dfa/dense.rs
@@ -2346,6 +2346,24 @@ impl<'a> DFA<&'a [u32]> {
         dfa.accels.validate()?;
         // N.B. dfa.special doesn't have a way to do unchecked deserialization,
         // so it has already been validated.
+        for state in dfa.states() {
+            // If the state is an accel state, then it must have a non-empty
+            // accelerator.
+            if dfa.is_accel_state(state.id()) {
+                let index = dfa.accelerator_index(state.id());
+                if index >= dfa.accels.len() {
+                    return Err(DeserializeError::generic(
+                        "found DFA state with invalid accelerator index",
+                    ));
+                }
+                let needles = dfa.accels.needles(index);
+                if !(1 <= needles.len() && needles.len() <= 3) {
+                    return Err(DeserializeError::generic(
+                        "accelerator needles has invalid length",
+                    ));
+                }
+            }
+        }
         Ok((dfa, nread))
     }