diff options
| author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-29 11:22:24 +0000 |
|---|---|---|
| committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-29 11:22:24 +0000 |
| commit | 0bff93ec6f942ad9703a33416c3ca2ddc060de73 (patch) | |
| tree | 9e5a206d59fc71fe9900b3736e8d173a4cdb5be6 | |
| parent | e97ec7dc839022a3efe740c532ea3e67e4446430 (diff) | |
| download | pcre-0bff93ec6f942ad9703a33416c3ca2ddc060de73.tar.gz | |
Fix comment between subroutine call and quantifier bug.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1538 2f5784b3-3f2a-0410-8824-cb99058d5e15
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | pcre_compile.c | 45 | ||||
| -rw-r--r-- | testdata/testinput1 | 3 | ||||
| -rw-r--r-- | testdata/testoutput1 | 5 |
4 files changed, 39 insertions, 19 deletions
@@ -127,6 +127,11 @@ Version 8.37 xx-xxx-2015 other kinds of group caused stack overflow at compile time. This bug was discovered by the LLVM fuzzer. +32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment + between a subroutine call and its quantifier was incorrectly compiled, + leading to buffer overflow or other errors. This bug was discovered by the + LLVM fuzzer. + Version 8.36 26-September-2014 ------------------------------ diff --git a/pcre_compile.c b/pcre_compile.c index 015e4a1..810df84 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -6472,15 +6472,25 @@ for (;; ptr++) parenthesis forms. */ case CHAR_LEFT_PARENTHESIS: - newoptions = options; - skipbytes = 0; - bravalue = OP_CBRA; - save_hwm_offset = cd->hwm - cd->start_workspace; - reset_bracount = FALSE; + ptr++; - /* First deal with various "verbs" that can be introduced by '*'. */ + /* First deal with comments. Putting this code right at the start ensures + that comments have no bad side effects. */ + + if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN) + { + ptr += 2; + while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++; + if (*ptr == CHAR_NULL) + { + *errorcodeptr = ERR18; + goto FAILED; + } + continue; + } + + /* Now deal with various "verbs" that can be introduced by '*'. */ - ptr++; if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':' || (MAX_255(ptr[1]) && ((cd->ctypes[ptr[1]] & ctype_letter) != 0)))) { @@ -6601,10 +6611,18 @@ for (;; ptr++) goto FAILED; } + /* Initialize for "real" parentheses */ + + newoptions = options; + skipbytes = 0; + bravalue = OP_CBRA; + save_hwm_offset = cd->hwm - cd->start_workspace; + reset_bracount = FALSE; + /* Deal with the extended parentheses; all are introduced by '?', and the appearance of any of them means that this is not a capturing group. */ - else if (*ptr == CHAR_QUESTION_MARK) + if (*ptr == CHAR_QUESTION_MARK) { int i, set, unset, namelen; int *optset; @@ -6613,17 +6631,6 @@ for (;; ptr++) switch (*(++ptr)) { - case CHAR_NUMBER_SIGN: /* Comment; skip to ket */ - ptr++; - while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++; - if (*ptr == CHAR_NULL) - { - *errorcodeptr = ERR18; - goto FAILED; - } - continue; - - /* ------------------------------------------------------------ */ case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ reset_bracount = TRUE; diff --git a/testdata/testinput1 b/testdata/testinput1 index d475331..73c2f4d 100644 --- a/testdata/testinput1 +++ b/testdata/testinput1 @@ -5727,4 +5727,7 @@ AbcdCBefgBhiBqz "Z*(|d*){216}" +"(?1)(?#?'){8}(a)" + baaaaaaaaac + /-- End of testinput1 --/ diff --git a/testdata/testoutput1 b/testdata/testoutput1 index 25368fc..0a53fd0 100644 --- a/testdata/testoutput1 +++ b/testdata/testoutput1 @@ -9424,4 +9424,9 @@ No match "Z*(|d*){216}" +"(?1)(?#?'){8}(a)" + baaaaaaaaac + 0: aaaaaaaaa + 1: a + /-- End of testinput1 --/ |