LibRegex: Disallow excessively large repetition counts in {B,E}RE

Author: https://github.com/alimpfard
Commit: https://github.com/SerenityOS/serenity/commit/189922f4429
Pull-request: https://github.com/SerenityOS/serenity/pull/8704

Userland/Libraries/LibRegex/RegexParser.cpp

@@ -13,6 +13,8 @@
 
 namespace regex {
 
+static constexpr size_t s_maximum_repetition_count = 1024 * 1024;
+
 ALWAYS_INLINE bool Parser::set_error(Error error)
 {
     if (m_parser_state.error == Error::NoError) {
@@ -395,6 +397,12 @@ bool PosixBasicParser::parse_simple_re(ByteCode& bytecode, size_t& match_length_
         if (!try_skip("\\}"))
             return set_error(Error::MismatchingBrace);
 
+        if (max_limit.value_or(min_limit) < min_limit)
+            return set_error(Error::InvalidBraceContent);
+
+        if (min_limit > s_maximum_repetition_count || (max_limit.has_value() && *max_limit > s_maximum_repetition_count))
+            return set_error(Error::InvalidBraceContent);
+
         ByteCode::transform_bytecode_repetition_min_max(simple_re_bytecode, min_limit, max_limit, true);
         match_length_minimum += re_match_length_minimum * min_limit;
     } else {
@@ -533,6 +541,9 @@ ALWAYS_INLINE bool PosixExtendedParser::parse_repetition_symbol(ByteCode& byteco
         auto minimum = maybe_minimum.value();
         match_length_minimum *= minimum;
 
+        if (minimum > s_maximum_repetition_count)
+            return set_error(Error::InvalidBraceContent);
+
         if (match(TokenType::Comma)) {
             consume();
         } else {
@@ -551,7 +562,7 @@ ALWAYS_INLINE bool PosixExtendedParser::parse_repetition_symbol(ByteCode& byteco
         }
         if (!number_builder.is_empty()) {
             auto value = number_builder.build().to_uint();
-            if (!value.has_value() || minimum > value.value())
+            if (!value.has_value() || minimum > value.value() || *value > s_maximum_repetition_count)
                 return set_error(Error::InvalidBraceContent);
 
             maybe_maximum = value.value();