diff options
| author | ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069> | 2015-07-21 14:03:08 +0000 |
|---|---|---|
| committer | ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069> | 2015-07-21 14:03:08 +0000 |
| commit | b856dacb4cfdaaed871c23bdfb4896a96510cfd3 (patch) | |
| tree | f275d6679383577a227d5ad162ecaf45426a35fb | |
| parent | 4daa8bb70550462197e684cff14350b14dc8bef6 (diff) | |
| download | pcre2-b856dacb4cfdaaed871c23bdfb4896a96510cfd3.tar.gz | |
Fix not diagnosis of missing ) for callout with string argument.
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@321 6239d852-aaf2-0410-a92c-79f79f948069
| -rw-r--r-- | ChangeLog | 3 | ||||
| -rw-r--r-- | src/pcre2_compile.c | 65 | ||||
| -rw-r--r-- | testdata/testinput5 | 2 | ||||
| -rw-r--r-- | testdata/testoutput5 | 3 |
4 files changed, 43 insertions, 30 deletions
@@ -62,6 +62,9 @@ first of these bugs was discovered by Karl Skomski with the LLVM fuzzer. pcre2_compile() to run for a very long time. This bug was found by the LLVM fuzzer. +17. A missing closing parenthesis for a callout with a string argument was not +being diagnosed, possibly leading to a buffer overflow. This bug was found by +the LLVM fuzzer. Version 10.20 30-June-2015 diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index b9f7e7f..940f693 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -3277,46 +3277,51 @@ for (; ptr < cb->end_pattern; ptr++) if (IS_DIGIT(ptr[1])) { while (IS_DIGIT(ptr[1])) ptr++; - if (ptr[1] != CHAR_RIGHT_PARENTHESIS) - { - errorcode = ERR39; - ptr++; - goto FAILED; - } - break; } /* Handle a string argument */ - ptr++; - delimiter = 0; - for (i = 0; PRIV(callout_start_delims)[i] != 0; i++) - { - if (*ptr == PRIV(callout_start_delims)[i]) + else + { + ptr++; + delimiter = 0; + for (i = 0; PRIV(callout_start_delims)[i] != 0; i++) { - delimiter = PRIV(callout_end_delims)[i]; - break; + if (*ptr == PRIV(callout_start_delims)[i]) + { + delimiter = PRIV(callout_end_delims)[i]; + break; + } } - } - - if (delimiter == 0) - { - errorcode = ERR82; - goto FAILED; - } - - start = ptr; - do - { - if (++ptr >= cb->end_pattern) + + if (delimiter == 0) { - errorcode = ERR81; - ptr = start; /* To give a more useful message */ + errorcode = ERR82; goto FAILED; } - if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2; + + start = ptr; + do + { + if (++ptr >= cb->end_pattern) + { + errorcode = ERR81; + ptr = start; /* To give a more useful message */ + goto FAILED; + } + if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2; + } + while (ptr[0] != delimiter); + } + + /* Check terminating ) */ + + if (ptr[1] != CHAR_RIGHT_PARENTHESIS) + { + errorcode = ERR39; + ptr++; + goto FAILED; } - while (ptr[0] != delimiter); break; case CHAR_LEFT_PARENTHESIS: diff --git a/testdata/testinput5 b/testdata/testinput5 index 7e2ba45..47afd25 100644 --- a/testdata/testinput5 +++ b/testdata/testinput5 @@ -1651,4 +1651,6 @@ /$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/ +"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'" + # End of testinput5 diff --git a/testdata/testoutput5 b/testdata/testoutput5 index a99c12b..641c563 100644 --- a/testdata/testoutput5 +++ b/testdata/testoutput5 @@ -4050,4 +4050,7 @@ Failed: error 122 at offset 1227: unmatched closing parenthesis /$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/ +"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'" +Failed: error 139 at offset 113: closing parenthesis for (?C expected + # End of testinput5 |