diff options
| author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2008-07-10 16:03:28 +0000 |
|---|---|---|
| committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2008-07-10 16:03:28 +0000 |
| commit | 73ef62bb1b47a722e0cd79a4476cfa52359173b0 (patch) | |
| tree | 5fb4a1102685873f67d037f8645c460db7fbb404 | |
| parent | 29f13735ce70eafca41dbb0786264e84bb20996b (diff) | |
| download | pcre-73ef62bb1b47a722e0cd79a4476cfa52359173b0.tar.gz | |
Fix off-end-of-buffer bug for patterns that match only at start of line.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@361 2f5784b3-3f2a-0410-8824-cb99058d5e15
| -rw-r--r-- | ChangeLog | 6 | ||||
| -rw-r--r-- | pcre_dfa_exec.c | 2 | ||||
| -rw-r--r-- | pcre_exec.c | 6 | ||||
| -rw-r--r-- | pcretest.c | 6 |
4 files changed, 16 insertions, 4 deletions
@@ -49,6 +49,12 @@ Version 8.0 02 Jul-08 printf "/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8\n" | pcretest This potential security problem was recorded as CVE-2008-2371. + +12. For a pattern where the match had to start at the beginning or immediately + after a newline (e.g /.*anything/ without the DOTALL flag), pcre_exec() and + pcre_dfa_exec() could read past the end of the passed subject if there was + no match. To help with detecting such bugs (e.g. with valgrind), I modified + pcretest so that it places the subject at the end of its malloc-ed buffer. Version 7.7 07-May-08 diff --git a/pcre_dfa_exec.c b/pcre_dfa_exec.c index 8d38523..c0ed8eb 100644 --- a/pcre_dfa_exec.c +++ b/pcre_dfa_exec.c @@ -2755,7 +2755,7 @@ for (;;) { if (current_subject > md->start_subject + start_offset) { - while (current_subject <= end_subject && !WAS_NEWLINE(current_subject)) + while (current_subject < end_subject && !WAS_NEWLINE(current_subject)) current_subject++; /* If we have just passed a CR and the newline option is ANY or diff --git a/pcre_exec.c b/pcre_exec.c index 27bce6d..11c742f 100644 --- a/pcre_exec.c +++ b/pcre_exec.c @@ -4719,9 +4719,9 @@ for(;;) { if (start_match > md->start_subject + start_offset) { - while (start_match <= end_subject && !WAS_NEWLINE(start_match)) + while (start_match < end_subject && !WAS_NEWLINE(start_match)) { NEXTCHAR(start_match); } - + /* If we have just passed a CR and the newline option is ANY or ANYCRLF, and we are now at a LF, advance the match position by one more character. */ @@ -4818,7 +4818,7 @@ for(;;) } /* OK, we can now run the match. */ - + md->start_match_ptr = start_match; md->match_call_count = 0; rc = match(start_match, md->start_code, start_match, 2, md, ims, NULL, 0, 0); @@ -2027,6 +2027,12 @@ while (!done) } *q = 0; len = q - dbuffer; + + /* Move the data to the end of the buffer so that a read over the end of + the buffer will be seen by valgrind, even if it doesn't cause a crash. */ + + memmove(bptr + buffer_size - len, bptr, len); + bptr += buffer_size - len; if ((all_use_dfa || use_dfa) && find_match_limit) { |