Re: [pcre-dev] [Bug 1187] Pcre 8.21 issue with Vbulletin

Top Page
Delete this message
Author: Philip Hazel
Date:  
To: 1187
CC: pcre-dev
Subject: Re: [pcre-dev] [Bug 1187] Pcre 8.21 issue with Vbulletin
On Wed, 4 Jan 2012, Christos Chatzaras wrote:

> --- Comment #14 from Christos Chatzaras <chris@???> 2012-01-04 02:33:04 ---
> Please read the last post at
> https://www.vbulletin.com/forum/showthread.php/393530-VBulletin-4-1-0-and-PCRE-8-21-bug


We believe that we have identified the problem, and that it is fixed by
this patch:

--- code/trunk/pcre_compile.c   2011/12/07 16:52:34     793
+++ code/trunk/pcre_compile.c   2011/12/18 10:03:38     807
@@ -1655,7 +1655,8 @@
     case OP_ASSERTBACK:
     case OP_ASSERTBACK_NOT:
     do cc += GET(cc, 1); while (*cc == OP_ALT);
-    /* Fall through */
+    cc += _pcre_OP_lengths[*cc];
+    break;


This patch was already applied to the PCRE trunk (after 8.21) to fix a
different report of the same bug. A failing pattern was provided in that
report, so it was easy to figure out what was going on. This is the
ChangeLog entry:

2.  Fixed a bug in fixed-length calculation for lookbehinds that would 
    show up only in quite long subpatterns.


The patterns in that PHP function were presumably long enough to trigger
the bug.

I have only been able to post this message because of a great amount of
investigative work that was done by a PCRE user who has been
communicating with me privately. (I must ask if it's ok to acknowledge
his/her identity here.) This user did the hard work of constructing a
full pattern from the PHP function and ran a lot of tests on it. Because
the bug could cause a reference to uninitialized memory, the results
could be random. With the above patch, no errors have arisen in a large
number of tests.

Philip

--
Philip Hazel