VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 9, 2019· Updated Aug 5, 2024

CVE-2019-16163

CVE-2019-16163

Description

Stack exhaustion in Oniguruma before 6.9.3 via deep recursion in regparse.c, allowing denial of service or other impact.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stack exhaustion in Oniguruma before 6.9.3 via deep recursion in regparse.c, allowing denial of service or other impact.

Vulnerability

Oniguruma versions before 6.9.3 contain a stack exhaustion vulnerability in the regcomp.c file due to deep recursion in regparse.c during parsing of certain regular expressions. The issue is triggered when processing very deeply nested regex patterns, such as a long sequence of + quantifiers. The vulnerable parsing functions include optimize_nodes() and tree_min_len(), which make recursive calls without proper depth limits. The commit that fixes the issue (4097828) introduces a ParseDepthLimit check in parse_exp() and parse_char_class() to bound recursion depth [1][2][3][4].

Exploitation

An attacker can supply a specially crafted regular expression with excessive nesting (e.g., a pattern containing a very long repetition: X++++++++...+). This can be provided to an application using Oniguruma via untrusted input, such as a web form or file that triggers regex compilation. No authentication or special privileges are required if the application processes user-supplied regex patterns. The proof-of-concept code in the issue report shows that executing onig_search() with a large regex leads to stack exhaustion [3].

Impact

Successful exploitation causes the process to crash due to stack exhaustion (denial of service). The Ubuntu security notice also lists potential for information disclosure or other unspecified impacts, though the primary and most immediate outcome is denial of service [1]. The attacker does not gain code execution or elevated privileges; the impact is limited to availability loss.

Mitigation

The vulnerability is fixed in Oniguruma version 6.9.3, released on September 9, 2019 [2]. Users should upgrade to version 6.9.3 or later. For Ubuntu systems, the fix is included in USN-4460-1 (August 2020) for Ubuntu 14.04 LTS and later [1]. No workaround exists other than updating the library. The CVE is not listed in CISA's Known Exploited Vulnerabilities catalog.

References
  1. USN-4460-1: Oniguruma vulnerabilities | Ubuntu security notices | Ubuntu
  2. Comparing v6.9.2...v6.9.3 · kkos/oniguruma
  3. Stack Exhaustion Problem caused by some parsing functions in regcomp.c making recursive calls to themselves.
  4. fix #147: Stack Exhaustion Problem caused by some parsing functions i… · kkos/oniguruma@4097828

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

63

Patches

2
813592905c2d

setup 6.9.3

https://github.com/kkos/onigurumaK.KosakoAug 5, 2019via osv
commit
6 files changed · +41 38
  • CMakeLists.txt+1 1 modified
    @@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.1)
 project(oniguruma
-  VERSION 6.9.2
+  VERSION 6.9.3
   LANGUAGES C)
 
 set(PACKAGE onig)
  • configure.ac+1 1 modified
    @@ -1,5 +1,5 @@
 dnl Process this file with autoconf to produce a configure script.
-AC_INIT(onig, 6.9.2)
+AC_INIT(onig, 6.9.3)
 
 AC_CONFIG_MACRO_DIR([m4])
  • index.html+2 1 modified
    @@ -8,14 +8,15 @@
 <h1>Oniguruma</h1> (<a href="index_ja.html">Japanese</a>)
 
 <p>
-(c) K.Kosako, updated at: 2019/05/14
+(c) K.Kosako, updated at: 2019/08/05
 </p>
 
 <dl>
 <font color="orange">
 <dt><b>What's new</b>
 </font>
 <ul>
+<li>2019/08/06: Version 6.9.3 released.</li>
 <li>2019/05/07: Version 6.9.2 released.</li>
 <li>2018/12/11: Version 6.9.1 released.</li>
 <li>2018/09/03: Version 6.9.0 released.</li>
  • index_ja.html+2 1 modified
    @@ -8,14 +8,15 @@
 <h1>鬼車</h1>
 
 <p>
-(c) K.Kosako, 最終更新: 2019/05/14
+(c) K.Kosako, 最終更新: 2019/08/05
 </p>
 
 <dl>
 <font color="orange">
 <dt><b>更新情報</b>
 </font>
 <ul>
+<li>2019/08/06: Version 6.9.3 リリース</li>
 <li>2019/05/07: Version 6.9.2 リリース</li>
 <li>2018/12/11: Version 6.9.1 リリース</li>
 <li>2018/09/03: Version 6.9.0 リリース</li>
  • README.md+33 32 modified
    @@ -27,15 +27,16 @@ Supported character encodings:
 * doc/SYNTAX.md: contributed by seanofw
 
 
-Master branch
--------------
+Version 6.9.3 (security fix release)
+------------------------------------
 
 * Fixed CVE-2019-13224
 * Fixed CVE-2019-13225
+* Fixed many problems (found by libfuzzer programs)
 
 
-New feature of version 6.9.2 (Reiwa)
------------------------------------
+Version 6.9.2 (Reiwa)
+---------------------
 
 * add doc/SYNTAX.md
 * Update Unicode version 12.1.0
@@ -46,35 +47,35 @@ New feature of version 6.9.2 (Reiwa)
   (Unicode Standard Annex #29 [http://unicode.org/reports/tr29/])
 
 
-New feature of version 6.9.1
---------------------------
+Version 6.9.1
+-------------
 
 * Speed improvement (* especially UTF-8)
 
 
-New feature of version 6.9.0
---------------------------
+Version 6.9.0
+-------------
 
 * Update Unicode version 11.0.0
 * NEW: add Emoji properties
 
 
-New feature of version 6.8.2
---------------------------
+Version 6.8.2
+-------------
 
 * Fix: #80 UChar in header causes issue
 * NEW API: onig_set_callout_user_data_of_match_param()  (* omission in 6.8.0)
 * add doc/CALLOUTS.API and doc/CALLOUTS.API.ja
 
 
-New feature of version 6.8.1
---------------------------
+Version 6.8.1
+-------------
 
 * Update shared library version to 5.0.0 for API incompatible changes from 6.7.1
 
 
-New feature of version 6.8.0
---------------------------
+Version 6.8.0
+-------------
 
 * Retry-limit-in-match function enabled by default
 * NEW: configure option --enable-posix-api=no  (* enabled by default)
@@ -85,32 +86,32 @@ New feature of version 6.8.0
 * Examples of Callouts program: [callout.c](sample/callout.c), [count.c](sample/count.c), [echo.c](sample/echo.c)
 
 
-New feature of version 6.7.1
---------------------------
+Version 6.7.1
+-------------
 
 * NEW: Mechanism of retry-limit-in-match (* disabled by default)
 
 
-New feature of version 6.7.0
---------------------------
+Version 6.7.0
+-------------
 
 * NEW: hexadecimal codepoint \uHHHH
 * NEW: add ONIG_SYNTAX_ONIGURUMA (== ONIG_SYNTAX_DEFAULT)
 * Disabled \N and \O on ONIG_SYNTAX_RUBY
 * Reduced size of object file
 
 
-New feature of version 6.6.0
---------------------------
+Version 6.6.0
+-------------
 
 * NEW: ASCII only mode options for character type/property (?WDSP)
 * NEW: Extended Grapheme Cluster boundary \y, \Y
 * NEW: Extended Grapheme Cluster \X
 * Range-clear (Absent-clear) operator restores previous range in retractions.
 
 
-New feature of version 6.5.0
---------------------------
+Version 6.5.0
+-------------
 
 * NEW: \K (keep)
 * NEW: \R (general newline) \N (no newline)
@@ -122,16 +123,16 @@ New feature of version 6.5.0
 * NEW: Absent stopper (?~|absent)     (*original)
 
 
-New feature of version 6.4.0
---------------------------
+Version 6.4.0
+-------------
 
 * Fix fatal problem of endless repeat on Windows
 * NEW: call zero (call the total regexp) \g<0>
 * NEW: relative backref/call by positive number \k<+n>, \g<+n>
 
 
-New feature of version 6.3.0
---------------------------
+Version 6.3.0
+-------------
 
 * NEW: octal codepoint \o{.....}
 * Fixed CVE-2017-9224
@@ -142,20 +143,20 @@ New feature of version 6.3.0
 * Fixed CVE-2017-9229
 
 
-New feature of version 6.1.2
---------------------------
+Version 6.1.2
+-------------
 
 * allow word bound, word begin and word end in look-behind.
 * NEW option: ONIG_OPTION_CHECK_VALIDITY_OF_STRING
 
-New feature of version 6.1
---------------------------
+Version 6.1
+-----------
 
 * improved doc/RE
 * NEW API: onig_scan()
 
-New feature of version 6.0
---------------------------
+Version 6.0
+-----------
 
 * Update Unicode 8.0 Property/Case-folding
 * NEW API: onig_unicode_define_user_property()
  • src/oniguruma.h+2 2 modified
    @@ -36,9 +36,9 @@ extern "C" {
 #define ONIGURUMA
 #define ONIGURUMA_VERSION_MAJOR   6
 #define ONIGURUMA_VERSION_MINOR   9
-#define ONIGURUMA_VERSION_TEENY   2
+#define ONIGURUMA_VERSION_TEENY   3
 
-#define ONIGURUMA_VERSION_INT     60902
+#define ONIGURUMA_VERSION_INT     60903
 
 #ifndef P_
 #if defined(__STDC__) || defined(_WIN32)
4097828d7cc8

fix #147: Stack Exhaustion Problem caused by some parsing functions in regcomp.c making recursive calls to themselves.

https://github.com/kkos/onigurumaK.KosakoJul 29, 2019via osv
commit
1 file changed · +10 1
  • src/regparse.c+10 1 modified
    @@ -6239,6 +6239,7 @@ parse_char_class(Node** np, PToken* tok, UChar** src, UChar* end, ScanEnv* env)
   env->parse_depth++;
   if (env->parse_depth > ParseDepthLimit)
     return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
+
   prev_cc = (CClassNode* )NULL;
   r = fetch_token_in_cc(tok, src, end, env);
   if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
@@ -7820,14 +7821,18 @@ static int
 parse_exp(Node** np, PToken* tok, int term, UChar** src, UChar* end,
           ScanEnv* env, int group_head)
 {
-  int r, len, group = 0;
+  int r, len, group;
   Node* qn;
   Node** tp;
+  unsigned int parse_depth;
 
+  group = 0;
   *np = NULL;
   if (tok->type == (enum TokenSyms )term)
     goto end_of_token;
 
+  parse_depth = env->parse_depth;
+
   switch (tok->type) {
   case TK_ALT:
   case TK_EOT:
@@ -8145,6 +8150,10 @@ parse_exp(Node** np, PToken* tok, int term, UChar** src, UChar* end,
       if (is_invalid_quantifier_target(*tp))
         return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
 
+      parse_depth++;
+      if (parse_depth > ParseDepthLimit)
+        return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
+
       qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
                                r == TK_INTERVAL);
       CHECK_NULL_RETURN_MEMERR(qn);

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

7

News mentions

0

No linked articles in our index yet.