diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2012-04-21 18:06:31 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2012-04-21 18:06:31 +0000 |
commit | 0c6344b222dca94ccf3895e72035845c7abfba45 (patch) | |
tree | 2f449668b93f13bbe8d1b4161b63b7baa5585c2a | |
parent | 0ccf556bc0830fdc09d32d52ae317a95fe631ca9 (diff) | |
download | pcre-0c6344b222dca94ccf3895e72035845c7abfba45.tar.gz |
Fix ovector overrun when backreferences need temporary memory and the highest
block is not used.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@963 2f5784b3-3f2a-0410-8824-cb99058d5e15
-rw-r--r-- | ChangeLog | 12 | ||||
-rw-r--r-- | pcre_exec.c | 2 | ||||
-rw-r--r-- | pcretest.c | 1 | ||||
-rw-r--r-- | testdata/testinput2 | 3 | ||||
-rw-r--r-- | testdata/testoutput2 | 5 |
5 files changed, 22 insertions, 1 deletions
@@ -95,6 +95,18 @@ Version 8.31 \w+ when the character tables indicated that \x{c4} was a word character. There were several related cases, all because the tests for doing a table lookup were testing for characters less than 127 instead of 255. + +27. If a pattern contains capturing parentheses that are not used in a match, + their slots in the ovector are set to -1. For those that are higher than + any matched groups, this happens at the end of processing. In the case when + there were back references that the ovector was too small to contain + (causing temporary malloc'd memory to be used during matching), and the + highest capturing number was not used, memory off the end of the ovector + was incorrectly being set to -1. (It was using the size of the temporary + memory instead of the true size.) + +28. To catch bugs like 27 using valgrind, when pcretest is asked to specify an + ovector size, it uses memory at the end of the block that it has got. Version 8.30 04-February-2012 diff --git a/pcre_exec.c b/pcre_exec.c index e7f0e30..e4c0bf9 100644 --- a/pcre_exec.c +++ b/pcre_exec.c @@ -7070,7 +7070,7 @@ if (rc == MATCH_MATCH || rc == MATCH_ACCEPT) { register int *iptr, *iend; int resetcount = 2 + re->top_bracket * 2; - if (resetcount > offsetcount) resetcount = ocount; + if (resetcount > offsetcount) resetcount = offsetcount; iptr = offsets + md->end_offset_top; iend = offsets + resetcount; while (iptr < iend) *iptr++ = -1; @@ -3719,6 +3719,7 @@ while (!done) } use_size_offsets = n; if (n == 0) use_offsets = NULL; /* Ensures it can't write to it */ + else use_offsets = offsets + size_offsets_max - n; /* To catch overruns */ continue; case 'P': diff --git a/testdata/testinput2 b/testdata/testinput2 index 7a2182d..2baa867 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -3760,4 +3760,7 @@ COMMIT to escape from the assertion. --/ /(?=a(*COMMIT)b|(ac)) ac | (a)c/x ac +"AB(C(D))(E(F))?(?(?=\2)(?=\4))" + ABCDGHI\O03 + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index a595d6f..a5ac180 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -12349,4 +12349,9 @@ COMMIT to escape from the assertion. --/ 1: <unset> 2: a +"AB(C(D))(E(F))?(?(?=\2)(?=\4))" + ABCDGHI\O03 +Matched, but too many substrings + 0: ABCD + /-- End of testinput2 --/ |