On Wed, 4 Jan 2012, Christos Chatzaras wrote:
> --- Comment #14 from Christos Chatzaras <chris@???> 2012-01-04 02:33:04 ---
> Please read the last post at
> https://www.vbulletin.com/forum/showthread.php/393530-VBulletin-4-1-0-and-PCRE-8-21-bug
We believe that we have identified the problem, and that it is fixed by
this patch:
--- code/trunk/pcre_compile.c 2011/12/07 16:52:34 793
+++ code/trunk/pcre_compile.c 2011/12/18 10:03:38 807
@@ -1655,7 +1655,8 @@
case OP_ASSERTBACK:
case OP_ASSERTBACK_NOT:
do cc += GET(cc, 1); while (*cc == OP_ALT);
- /* Fall through */
+ cc += _pcre_OP_lengths[*cc];
+ break;
This patch was already applied to the PCRE trunk (after 8.21) to fix a
different report of the same bug. A failing pattern was provided in that
report, so it was easy to figure out what was going on. This is the
ChangeLog entry:
2. Fixed a bug in fixed-length calculation for lookbehinds that would
show up only in quite long subpatterns.
The patterns in that PHP function were presumably long enough to trigger
the bug.
I have only been able to post this message because of a great amount of
investigative work that was done by a PCRE user who has been
communicating with me privately. (I must ask if it's ok to acknowledge
his/her identity here.) This user did the hard work of constructing a
full pattern from the PHP function and ran a lot of tests on it. Because
the bug could cause a reference to uninitialized memory, the results
could be random. With the above patch, no errors have arisen in a large
number of tests.
Philip
--
Philip Hazel
