From 0fc2edb79b3815c6511fd75c36a57893e4acaee6 Mon Sep 17 00:00:00 2001
From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Sat, 27 Feb 2016 17:55:24 +0000
Subject: Fix pcretest loop for global matching with an ovector size less than
 2.

git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1637 2f5784b3-3f2a-0410-8824-cb99058d5e15
---
 ChangeLog  | 16 ++++++++++------
 pcretest.c |  6 ++++++
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 9e41ed2..2f9c5ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -53,13 +53,17 @@ Version 8.39 xx-xxxxxx-201x
 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
     nested set of parentheses of sufficient size caused an overflow of the
     compiling workspace (which was diagnosed, but of course is not desirable).
-    
-14. And yet another buffer overflow bug involving duplicate named groups, this 
-    time nested, with a nested back reference. Yet again, I have just allowed 
-    for more memory, because anything more needs all the refactoring that has 
+
+14. And yet another buffer overflow bug involving duplicate named groups, this
+    time nested, with a nested back reference. Yet again, I have just allowed
+    for more memory, because anything more needs all the refactoring that has
     been done for PCRE2. An example pattern that provoked this bug is:
-    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was 
-    registered as CVE-2016-1283. 
+    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was
+    registered as CVE-2016-1283.
+
+15. pcretest went into a loop if global matching was requested with an ovector
+    size less than 2. It now gives an error message. This bug was found by
+    afl-fuzz.
 
 
 Version 8.38 23-November-2015
diff --git a/pcretest.c b/pcretest.c
index 63869fd..78ef517 100644
--- a/pcretest.c
+++ b/pcretest.c
@@ -5617,6 +5617,12 @@ while (!done)
         break;
         }
 
+      if (use_size_offsets < 2)
+        {
+        fprintf(outfile, "Cannot do global matching with an ovector size < 2\n");
+        break;
+        }
+
       /* If we have matched an empty string, first check to see if we are at
       the end of the subject. If so, the /g loop is over. Otherwise, mimic what
       Perl's /g options does. This turns out to be rather cunning. First we set
-- 
cgit v1.2.1