Fix read overflow for invalid VERSION test with one fractional digit at the end

of a pattern. Fixes ClusterFuzz 23779.


git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1266 6239d852-aaf2-0410-a92c-79f79f948069

4 files changed, 10 insertions, 0 deletions

diff --git a/ChangeLog b/ChangeLog
index 03522a1..bb16e20 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -44,6 +44,10 @@ platforms.)
 debug Windows builds using CMake. This also updated configure so that it
 generates *.pc files and pcre2-config with the same content, as in the past.
 
+8. If a pattern ended with (?(VERSION=n.d where n is any number but d is just a 
+single digit, the code unit beyond d was being read (i.e. there was a read 
+buffer overflow). Fixes ClusterFuzz 23779.
+
 
 Version 10.35 09-May-2020
 ---------------------------
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
index 136d583..e811f12 100644
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@@ -4331,6 +4331,7 @@ while (ptr < ptrend)
           {
           if (++ptr >= ptrend || !IS_DIGIT(*ptr)) goto BAD_VERSION_CONDITION;
           minor = (*ptr++ - CHAR_0) * 10;
+          if (ptr >= ptrend) goto BAD_VERSION_CONDITION;
           if (IS_DIGIT(*ptr)) minor += *ptr++ - CHAR_0;
           if (ptr >= ptrend || *ptr != CHAR_RIGHT_PARENTHESIS)
             goto BAD_VERSION_CONDITION;
diff --git a/testdata/testinput2 b/testdata/testinput2
index c816c5f..47320eb 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -5864,4 +5864,6 @@ a)"xI
 /"(*MARK:>" 00 "<).(?C1)."/hex,mark,no_start_optimize
     AB
 
+/(?(VERSION=0.0/
+
 # End of testinput2
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index c90efef..c06363a 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -17621,6 +17621,9 @@ Latest Mark: >\x00<
  0: AB
 MK: >\x00<
 
+/(?(VERSION=0.0/
+Failed: error 179 at offset 14: syntax error or number too big in (?(VERSION condition
+
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data