From 6b37292d0f3cc70d051c1afefa6e80be7c37aabc Mon Sep 17 00:00:00 2001
From: Kyryl Melekhin <k.melekhin@gmail.com>
Date: Tue, 7 Sep 2021 18:46:21 +0000
Subject: [PATCH] add theoretical nsubs size limit

---
 pike.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pike.c b/pike.c
index 92f86a7..0dff780 100644
--- a/pike.c
+++ b/pike.c
@@ -537,12 +537,18 @@ int re_pikevm(rcode *prog, const char *s, const char **subp, int nsubp)
 {
 	int i, j, c, gen, subidx = 1, *npc;
 	int rsubsize = sizeof(rsub)+(sizeof(char*)*nsubp);
+	int nsubssize = rsubsize * (prog->len+3 - prog->splits);
 	int clistidx = 0, nlistidx = 0;
 	const char *sp = s, *_sp = s;
 	int *insts = prog->insts;
 	int *pcs[prog->splits];
 	rsub *subs[prog->splits];
-	char nsubs[rsubsize * (prog->len+3 - prog->splits)];
+	/* Although worst case scenario nsubs size is prog->len,
+	with moderate sized regexes it is easy to stack overflow
+	here. Most of the time only very small portion of memory
+	is actually used, but it is necessary to cover all cases
+	and posible paths, as it is nondeterministic. */
+	char nsubs[nsubssize > 500000 ? 500000 : nsubssize];
 	rsub *nsub, *s1, *matched = NULL, *freesub = NULL;
 	rthread _clist[prog->len], _nlist[prog->len];
 	rthread *clist = _clist, *nlist = _nlist, *tmp;