diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-29 17:41:16 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-29 17:41:16 +0000 |
commit | 6ad109ad6c477ea3f0816dac273d0e5ef8253993 (patch) | |
tree | 82f8dfacb155fa6da6efe63e1f84780d7d20f87c | |
parent | f2f972a69aac98b34316d2e944d55f9ef2ca6712 (diff) | |
download | pcre-6ad109ad6c477ea3f0816dac273d0e5ef8253993.tar.gz |
Fix possessive quantifier after group containing subroutine call.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1540 2f5784b3-3f2a-0410-8824-cb99058d5e15
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | pcre_compile.c | 13 | ||||
-rw-r--r-- | testdata/testinput2 | 4 | ||||
-rw-r--r-- | testdata/testoutput2 | 42 |
4 files changed, 58 insertions, 6 deletions
@@ -137,6 +137,11 @@ Version 8.37 xx-xxx-2015 (?(?< for the ! or = that would indicate a lookbehind assertion. This bug was discovered by the LLVM fuzzer. +34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with + a fixed maximum following a group that contains a subroutine reference was + incorrectly compiled and could trigger buffer overflow. This bug was + discovered by the LLVM fuzzer. + Version 8.36 26-September-2014 ------------------------------ diff --git a/pcre_compile.c b/pcre_compile.c index 94e78db..b742805 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -5924,6 +5924,7 @@ for (;; ptr++) { register int i; int len = (int)(code - previous); + size_t base_hwm_offset = save_hwm_offset; pcre_uchar *bralink = NULL; pcre_uchar *brazeroptr = NULL; @@ -6070,20 +6071,20 @@ for (;; ptr++) while (cd->hwm > cd->start_workspace + cd->workspace_size - WORK_SIZE_SAFETY_MARGIN - - (this_hwm_offset - save_hwm_offset)) + (this_hwm_offset - base_hwm_offset)) { *errorcodeptr = expand_workspace(cd); if (*errorcodeptr != 0) goto FAILED; } - for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; + for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset; hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset; hc += LINK_SIZE) { PUT(cd->hwm, 0, GET(hc, 0) + len); cd->hwm += LINK_SIZE; } - save_hwm_offset = this_hwm_offset; + base_hwm_offset = this_hwm_offset; code += len; } } @@ -6151,20 +6152,20 @@ for (;; ptr++) while (cd->hwm > cd->start_workspace + cd->workspace_size - WORK_SIZE_SAFETY_MARGIN - - (this_hwm_offset - save_hwm_offset)) + (this_hwm_offset - base_hwm_offset)) { *errorcodeptr = expand_workspace(cd); if (*errorcodeptr != 0) goto FAILED; } - for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; + for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset; hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset; hc += LINK_SIZE) { PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1)); cd->hwm += LINK_SIZE; } - save_hwm_offset = this_hwm_offset; + base_hwm_offset = this_hwm_offset; code += len; } diff --git a/testdata/testinput2 b/testdata/testinput2 index 0e29c7a..8ba0b7b 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4138,4 +4138,8 @@ backtracking verbs. --/ "(?(?<E>.*!.*)?)" +"X((?2)()*+){2}+"BZ + +"X((?2)()*+){2}"BZ + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index f3b2dc4..5d93d4c 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14348,4 +14348,46 @@ No match "(?(?<E>.*!.*)?)" Failed: assertion expected after (?( at offset 3 +"X((?2)()*+){2}+"BZ +------------------------------------------------------------------ + Bra + X + Once + CBra 1 + Recurse + Braposzero + SCBraPos 2 + KetRpos + Ket + CBra 1 + Recurse + Braposzero + SCBraPos 2 + KetRpos + Ket + Ket + Ket + End +------------------------------------------------------------------ + +"X((?2)()*+){2}"BZ +------------------------------------------------------------------ + Bra + X + CBra 1 + Recurse + Braposzero + SCBraPos 2 + KetRpos + Ket + CBra 1 + Recurse + Braposzero + SCBraPos 2 + KetRpos + Ket + Ket + End +------------------------------------------------------------------ + /-- End of testinput2 --/ |