diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2016-02-27 17:55:24 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2016-02-27 17:55:24 +0000 |
commit | 0fc2edb79b3815c6511fd75c36a57893e4acaee6 (patch) | |
tree | 4618bcc4cb2912fe5b07c1ce14259d45b172ef2f | |
parent | b7537308b7c758f33c347cb0bec62754c43c271f (diff) | |
download | pcre-0fc2edb79b3815c6511fd75c36a57893e4acaee6.tar.gz |
Fix pcretest loop for global matching with an ovector size less than 2.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1637 2f5784b3-3f2a-0410-8824-cb99058d5e15
-rw-r--r-- | ChangeLog | 16 | ||||
-rw-r--r-- | pcretest.c | 6 |
2 files changed, 16 insertions, 6 deletions
@@ -53,13 +53,17 @@ Version 8.39 xx-xxxxxx-201x 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply nested set of parentheses of sufficient size caused an overflow of the compiling workspace (which was diagnosed, but of course is not desirable). - -14. And yet another buffer overflow bug involving duplicate named groups, this - time nested, with a nested back reference. Yet again, I have just allowed - for more memory, because anything more needs all the refactoring that has + +14. And yet another buffer overflow bug involving duplicate named groups, this + time nested, with a nested back reference. Yet again, I have just allowed + for more memory, because anything more needs all the refactoring that has been done for PCRE2. An example pattern that provoked this bug is: - /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was - registered as CVE-2016-1283. + /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was + registered as CVE-2016-1283. + +15. pcretest went into a loop if global matching was requested with an ovector + size less than 2. It now gives an error message. This bug was found by + afl-fuzz. Version 8.38 23-November-2015 @@ -5617,6 +5617,12 @@ while (!done) break; } + if (use_size_offsets < 2) + { + fprintf(outfile, "Cannot do global matching with an ovector size < 2\n"); + break; + } + /* If we have matched an empty string, first check to see if we are at the end of the subject. If so, the /g loop is over. Otherwise, mimic what Perl's /g options does. This turns out to be rather cunning. First we set |