[pcre-dev] [Bug 757] New: pcre

Author: Hossein Arefi
Date:
To: pcre-dev
Subject: [pcre-dev] [Bug 757] New: pcre_exec() off-by-1 bug

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=757
           Summary: pcre_exec() off-by-1 bug
           Product: PCRE
           Version: N/A
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: bug
          Priority: high
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: hossein.arefi@???
                CC: pcre-dev@???

Version 7.7

Valgrind complained about an error of reading 1 byte beyond end of a buffer in
pcre_exec.c line #4721.

Turned out that the SUPPORT_UTF8 version of the NEXTCHAR macro in
pcre_internal.h will look beyond the end of the subject string while trying to
find the start of the next utf8 character sequence.

Adding a check, as below, fixes the problem:

366c366
< #define NEXTCHAR(p) p++;
---
> #define NEXTCHAR(p, end) p++;
379c379
< #define NEXTCHAR(p) \
---
> #define NEXTCHAR(p, end) \
381c381
< if (utf8) { while((*p & 0xc0) == 0x80) p++; }
---
> if (utf8) { while((p < end) && ((*p & 0xc0) == 0x80)) p++; }

And corresponding macro calls changed in pcre_exec.c:

4686c4686
<         { NEXTCHAR(start_match); }
---

> { NEXTCHAR(start_match, end_subject); }

4689c4689
<         { NEXTCHAR(start_match); }
---

> { NEXTCHAR(start_match, end_subject); }

4699c4699
<         { NEXTCHAR(start_match); }
---

> { NEXTCHAR(start_match, end_subject); }

4721c4721
<         { NEXTCHAR(start_match); }
---

> { NEXTCHAR(start_match, end_subject); }

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email

This message is part of the following thread:
	the complete thread tree sorted by date

	Philip Hazel at