Fix an early fail optimization issue and a buffer overread in JIT.

git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1267 6239d852-aaf2-0410-a92c-79f79f948069
author: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069> 2020-07-15 04:35:32 +0000
committer: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069> 2020-07-15 04:35:32 +0000
commit: 938cca6343300495c67461c08f4732f098a7ce30 (patch)
tree: 1d5e76f26613659f329e53cdc94298be83317a0f
parent: 4089a9d71445fbe48ce41dd5cb595dba88c18a26 (diff)
download: pcre2-938cca6343300495c67461c08f4732f098a7ce30.tar.gz
3 files changed, 17 insertions, 12 deletions
diff --git a/ChangeLog b/ChangeLog
index bb16e20..680d7f1 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -48,6 +48,10 @@ generates *.pc files and pcre2-config with the same content, as in the past.
 single digit, the code unit beyond d was being read (i.e. there was a read 
 buffer overflow). Fixes ClusterFuzz 23779.
 
+9. After the rework in r1235, certain character ranges were incorrectly
+handled by an optimization in JIT. Furthermore a wrong offset was used to
+read a value from a buffer which could lead to memory overread.
+
 
 Version 10.35 09-May-2020
 ---------------------------
diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
index 7c5d63b..2bd4275 100644
--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
@@ -1466,9 +1466,9 @@ do
         default:
         accelerated_start = NULL;
         fast_forward_allowed = FALSE;
-        break;
+        continue;
         }
-      continue;
+      break;
 
       case OP_ONCE:
       case OP_BRA:
@@ -1834,57 +1834,57 @@ while (cc < ccend)
     case OP_BRAZERO:
     case OP_BRAMINZERO:
     case OP_BRAPOSZERO:
-    repeat_check = FALSE;
     size = 1;
+    repeat_check = FALSE;
     break;
 
     CASE_ITERATOR_PRIVATE_DATA_1
-    space = 1;
     size = -2;
+    space = 1;
     break;
 
     CASE_ITERATOR_PRIVATE_DATA_2A
-    space = 2;
     size = -2;
+    space = 2;
     break;
 
     CASE_ITERATOR_PRIVATE_DATA_2B
-    space = 2;
     size = -(2 + IMM2_SIZE);
+    space = 2;
     break;
 
     CASE_ITERATOR_TYPE_PRIVATE_DATA_1
-    space = 1;
     size = 1;
+    space = 1;
     break;
 
     CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+    size = 1;
     if (cc[1] != OP_ANYNL && cc[1] != OP_EXTUNI)
       space = 2;
-    size = 1;
     break;
 
     case OP_TYPEUPTO:
+    size = 1 + IMM2_SIZE;
     if (cc[1 + IMM2_SIZE] != OP_ANYNL && cc[1 + IMM2_SIZE] != OP_EXTUNI)
       space = 2;
-    size = 1 + IMM2_SIZE;
     break;
 
     case OP_TYPEMINUPTO:
-    space = 2;
     size = 1 + IMM2_SIZE;
+    space = 2;
     break;
 
     case OP_CLASS:
     case OP_NCLASS:
-    space = get_class_iterator_size(cc + size);
     size = 1 + 32 / sizeof(PCRE2_UCHAR);
+    space = get_class_iterator_size(cc + size);
     break;
 
 #if defined SUPPORT_UNICODE || PCRE2_CODE_UNIT_WIDTH != 8
     case OP_XCLASS:
-    space = get_class_iterator_size(cc + size);
     size = GET(cc, 1);
+    space = get_class_iterator_size(cc + size);
     break;
 #endif
 
diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
index 16dade7..b7856ad 100644
--- a/src/pcre2_jit_test.c
+++ b/src/pcre2_jit_test.c
@@ -350,6 +350,7 @@ static struct regression_test_case regression_test_cases[] = {
 	{ MU, A, 0, 0, ".[ab]*.", "xx" },
 	{ MU, A, 0, 0, ".[ab]*a", "xxa" },
 	{ MU, A, 0, 0, ".[ab]?.", "xx" },
+	{ MU, A, 0, 0, "_[ab]+_*a", "_aa" },
 
 	/* Bracket repeats with limit. */
 	{ MU, A, 0, 0, "(?:(ab){2}){5}M", "abababababababababababM" },
author	zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>	2020-07-15 04:35:32 +0000
committer	zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>	2020-07-15 04:35:32 +0000
commit	938cca6343300495c67461c08f4732f098a7ce30 (patch)
tree	1d5e76f26613659f329e53cdc94298be83317a0f
parent	4089a9d71445fbe48ce41dd5cb595dba88c18a26 (diff)
download	pcre2-938cca6343300495c67461c08f4732f098a7ce30.tar.gz