Revision: 760
http://vcs.pcre.org/viewvc?view=rev&revision=760
Author: ph10
Date: 2011-11-22 11:23:43 +0000 (Tue, 22 Nov 2011)
Log Message:
-----------
Test for workspace overflow with forward reference data.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/pcre_internal.h
code/trunk/pcreposix.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/ChangeLog 2011-11-22 11:23:43 UTC (rev 760)
@@ -54,6 +54,10 @@
14. Perl does not support \N without a following name in a [] class; PCRE now
also gives an error.
+
+15. If a forward reference was repeated with an upper limit of around 2000,
+ it caused the error "internal error: overran compiling workspace". This
+ is now checked, and causes "too many forward references" instead.
Version 8.20 21-Oct-2011
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/pcre_compile.c 2011-11-22 11:23:43 UTC (rev 760)
@@ -413,6 +413,7 @@
/* 70 */
"internal error: unknown opcode in find_fixedlength()\0"
"\\N is not supported in a class\0"
+ "too many forward references\0"
;
/* Table to identify digits and hex digits. This is used when compiling
@@ -4895,6 +4896,11 @@
memcpy(code, previous, len);
for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
{
+ if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK)
+ {
+ *errorcodeptr = ERR72;
+ goto FAILED;
+ }
PUT(cd->hwm, 0, GET(hc, 0) + len);
cd->hwm += LINK_SIZE;
}
@@ -4922,7 +4928,7 @@
add 2 + 2*LINKSIZE to allow for the nesting that occurs. Do some
paranoid checks to avoid integer overflow. The INT64_OR_DOUBLE type is
a 64-bit integer type when available, otherwise double. */
-
+
if (lengthptr != NULL && repeat_max > 0)
{
int delta = repeat_max * (length_prevgroup + 1 + 2 + 2*LINK_SIZE) -
@@ -4962,6 +4968,11 @@
memcpy(code, previous, len);
for (hc = save_hwm; hc < this_hwm; hc += LINK_SIZE)
{
+ if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK)
+ {
+ *errorcodeptr = ERR72;
+ goto FAILED;
+ }
PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
cd->hwm += LINK_SIZE;
}
@@ -5977,8 +5988,13 @@
/* Fudge the value of "called" so that when it is inserted as an
offset below, what it actually inserted is the reference number
of the group. Then remember the forward reference. */
-
+
called = cd->start_code + recno;
+ if (cd->hwm >= cd->start_workspace + WORK_SIZE_CHECK)
+ {
+ *errorcodeptr = ERR72;
+ goto FAILED;
+ }
PUTINC(cd->hwm, 0, (int)(code + 1 - cd->start_code));
}
Modified: code/trunk/pcre_internal.h
===================================================================
--- code/trunk/pcre_internal.h 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/pcre_internal.h 2011-11-22 11:23:43 UTC (rev 760)
@@ -1665,7 +1665,7 @@
ERR40, ERR41, ERR42, ERR43, ERR44, ERR45, ERR46, ERR47, ERR48, ERR49,
ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
- ERR70, ERR71, ERRCOUNT };
+ ERR70, ERR71, ERR72, ERRCOUNT };
/* The real format of the start of the pcre block; the index of names and the
code vector run on as long as necessary after the end. We store an explicit
Modified: code/trunk/pcreposix.c
===================================================================
--- code/trunk/pcreposix.c 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/pcreposix.c 2011-11-22 11:23:43 UTC (rev 760)
@@ -156,6 +156,7 @@
/* 70 */
REG_BADPAT, /* internal error: unknown opcode in find_fixedlength() */
REG_BADPAT, /* \N is not supported in a class */
+ REG_BADPAT, /* too many forward references */
};
/* Table of texts corresponding to POSIX error codes */
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/testdata/testinput2 2011-11-22 11:23:43 UTC (rev 760)
@@ -4014,4 +4014,8 @@
/a[B-\Nc]/
+/(a)(?2){0,1999}?(b)/
+
+/(a)(?(DEFINE)(b))(?2){0,1999}?(?2)/
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2011-11-21 18:57:34 UTC (rev 759)
+++ code/trunk/testdata/testoutput2 2011-11-22 11:23:43 UTC (rev 760)
@@ -12600,4 +12600,9 @@
/a[B-\Nc]/
Failed: \N is not supported in a class at offset 5
+/(a)(?2){0,1999}?(b)/
+Failed: too many forward references at offset 15
+
+/(a)(?(DEFINE)(b))(?2){0,1999}?(?2)/
+
/-- End of testinput2 --/
