diff options
author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-24 10:33:21 +0000 |
---|---|---|
committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-03-24 10:33:21 +0000 |
commit | 0838dce0fce0c9fc927fd5509da3151004606052 (patch) | |
tree | 41a98b792689c886e32c1b7a76feb058a7fc0c3e | |
parent | e4f2068624710ea188ea06de00402a599e4154af (diff) | |
download | pcre-0838dce0fce0c9fc927fd5509da3151004606052.tar.gz |
Fix bugs caused by (?!) as a condition (which is converted to OP_FAIL).
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1534 2f5784b3-3f2a-0410-8824-cb99058d5e15
-rw-r--r-- | ChangeLog | 14 | ||||
-rw-r--r-- | pcre_compile.c | 1 | ||||
-rw-r--r-- | pcre_dfa_exec.c | 5 | ||||
-rw-r--r-- | pcre_exec.c | 1 | ||||
-rw-r--r-- | testdata/testinput2 | 4 | ||||
-rw-r--r-- | testdata/testinput8 | 4 | ||||
-rw-r--r-- | testdata/testoutput2 | 6 | ||||
-rw-r--r-- | testdata/testoutput8 | 6 |
8 files changed, 37 insertions, 4 deletions
@@ -81,12 +81,14 @@ Version 8.37 xx-xxx-2015 code to be compiled, leading to the error "internal error: previously-checked referenced subpattern not found" when an incorrect memory address was read. This bug was reported as "heap overflow", - discovered by Kai Lu of Fortinet's FortiGuard Labs. + discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number + CVE-2015-2325. 23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine call within a group that also contained a recursive back reference caused incorrect code to be compiled. This bug was reported as "heap overflow", - discovered by Kai Lu of Fortinet's FortiGuard Labs. + discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE + number CVE-2015-2326. 24. Computing the size of the JIT read-only data in advance has been a source of various issues, and new ones are still appear unfortunately. To fix @@ -100,6 +102,14 @@ Version 8.37 xx-xxx-2015 26. Fix JIT compilation of conditional blocks, which assertion is converted to (*FAIL). E.g: /(?(?!))/. + +27. The pattern /(?(?!)^)/ caused references to random memory. This bug was + discovered by the LLVM fuzzer. + +28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly + when this assertion was used as a condition, for example (?(?!)a|b). In + pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect + error about an unsupported item. Version 8.36 26-September-2014 diff --git a/pcre_compile.c b/pcre_compile.c index 15c550f..3ed17ef 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -8553,6 +8553,7 @@ do { case OP_RREF: case OP_DNRREF: case OP_DEF: + case OP_FAIL: return FALSE; default: /* Assertion */ diff --git a/pcre_dfa_exec.c b/pcre_dfa_exec.c index 87f4aef..170ce6a 100644 --- a/pcre_dfa_exec.c +++ b/pcre_dfa_exec.c @@ -2736,9 +2736,10 @@ for (;;) condcode == OP_DNRREF) return PCRE_ERROR_DFA_UCOND; - /* The DEFINE condition is always false */ + /* The DEFINE condition is always false, and the assertion (?!) is + converted to OP_FAIL. */ - if (condcode == OP_DEF) + if (condcode == OP_DEF || condcode == OP_FAIL) { ADD_ACTIVE(state_offset + codelink + LINK_SIZE + 1, 0); } /* The only supported version of OP_RREF is for the value RREF_ANY, diff --git a/pcre_exec.c b/pcre_exec.c index 788cc76..13dfed5 100644 --- a/pcre_exec.c +++ b/pcre_exec.c @@ -1376,6 +1376,7 @@ for (;;) break; case OP_DEF: /* DEFINE - always false */ + case OP_FAIL: /* From optimized (?!) condition */ break; /* The condition is an assertion. Call match() to evaluate it - setting diff --git a/testdata/testinput2 b/testdata/testinput2 index a629649..fb928e9 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4130,4 +4130,8 @@ backtracking verbs. --/ /((?+1)(\1))/BZ +/(?(?!)a|b)/ + bbb + aaa + /-- End of testinput2 --/ diff --git a/testdata/testinput8 b/testdata/testinput8 index 06334cd..931dd71 100644 --- a/testdata/testinput8 +++ b/testdata/testinput8 @@ -4837,4 +4837,8 @@ '\A(?:[^\"]++|\"(?:[^\"]++|\"\")*+\")++' NON QUOTED \"QUOT\"\"ED\" AFTER \"NOT MATCHED +/(?(?!)a|b)/ + bbb + aaa + /-- End of testinput8 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 85eebee..70634a2 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14337,4 +14337,10 @@ Matched, but too many substrings End ------------------------------------------------------------------ +/(?(?!)a|b)/ + bbb + 0: b + aaa +No match + /-- End of testinput2 --/ diff --git a/testdata/testoutput8 b/testdata/testoutput8 index 95c4e4d..e4fa497 100644 --- a/testdata/testoutput8 +++ b/testdata/testoutput8 @@ -7785,4 +7785,10 @@ Matched, but offsets vector is too small to show all matches NON QUOTED \"QUOT\"\"ED\" AFTER \"NOT MATCHED 0: NON QUOTED "QUOT""ED" AFTER +/(?(?!)a|b)/ + bbb + 0: b + aaa +No match + /-- End of testinput8 --/ |