Revision: 361
http://vcs.pcre.org/viewvc?view=rev&revision=361
Author: ph10
Date: 2008-07-10 17:03:28 +0100 (Thu, 10 Jul 2008)
Log Message:
-----------
Fix off-end-of-buffer bug for patterns that match only at start of line.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_dfa_exec.c
code/trunk/pcre_exec.c
code/trunk/pcretest.c
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2008-07-09 20:00:28 UTC (rev 360)
+++ code/trunk/ChangeLog 2008-07-10 16:03:28 UTC (rev 361)
@@ -49,6 +49,12 @@
printf "/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8\n" | pcretest
This potential security problem was recorded as CVE-2008-2371.
+
+12. For a pattern where the match had to start at the beginning or immediately
+ after a newline (e.g /.*anything/ without the DOTALL flag), pcre_exec() and
+ pcre_dfa_exec() could read past the end of the passed subject if there was
+ no match. To help with detecting such bugs (e.g. with valgrind), I modified
+ pcretest so that it places the subject at the end of its malloc-ed buffer.
Version 7.7 07-May-08
Modified: code/trunk/pcre_dfa_exec.c
===================================================================
--- code/trunk/pcre_dfa_exec.c 2008-07-09 20:00:28 UTC (rev 360)
+++ code/trunk/pcre_dfa_exec.c 2008-07-10 16:03:28 UTC (rev 361)
@@ -2755,7 +2755,7 @@
{
if (current_subject > md->start_subject + start_offset)
{
- while (current_subject <= end_subject && !WAS_NEWLINE(current_subject))
+ while (current_subject < end_subject && !WAS_NEWLINE(current_subject))
current_subject++;
/* If we have just passed a CR and the newline option is ANY or
Modified: code/trunk/pcre_exec.c
===================================================================
--- code/trunk/pcre_exec.c 2008-07-09 20:00:28 UTC (rev 360)
+++ code/trunk/pcre_exec.c 2008-07-10 16:03:28 UTC (rev 361)
@@ -4719,9 +4719,9 @@
{
if (start_match > md->start_subject + start_offset)
{
- while (start_match <= end_subject && !WAS_NEWLINE(start_match))
+ while (start_match < end_subject && !WAS_NEWLINE(start_match))
{ NEXTCHAR(start_match); }
-
+
/* If we have just passed a CR and the newline option is ANY or ANYCRLF,
and we are now at a LF, advance the match position by one more character.
*/
@@ -4818,7 +4818,7 @@
}
/* OK, we can now run the match. */
-
+
md->start_match_ptr = start_match;
md->match_call_count = 0;
rc = match(start_match, md->start_code, start_match, 2, md, ims, NULL, 0, 0);
Modified: code/trunk/pcretest.c
===================================================================
--- code/trunk/pcretest.c 2008-07-09 20:00:28 UTC (rev 360)
+++ code/trunk/pcretest.c 2008-07-10 16:03:28 UTC (rev 361)
@@ -2027,6 +2027,12 @@
}
*q = 0;
len = q - dbuffer;
+
+ /* Move the data to the end of the buffer so that a read over the end of
+ the buffer will be seen by valgrind, even if it doesn't cause a crash. */
+
+ memmove(bptr + buffer_size - len, bptr, len);
+ bptr += buffer_size - len;
if ((all_use_dfa || use_dfa) && find_match_limit)
{