On 13.05.2013 18:20, Zoltán Herczeg wrote:
> yes, it helps a bit, since now the length is 69 on my side as well.
> However, I still cannot see the buffer overflow, since the offset is
> 64. The value (OP_KET) is also correct.
>
> Could you print the re after the "re = (REAL_PCRE
> *)(PUBL(malloc))(size);" and common->start and GET(common->start, 1)
> as well? If the offset is really incorrect, probably common->start-re
> will not be equal to 56.
The problem is most likely caused a compiler / linker error. It picks
the wrong function
if the 8, 16, and 32 bit versions are all compiled into the same
executable. Because fast_forward_first_n_chars() is declared without the
PREV(...) macro wrapper, there are three identical functions.
I believed that the "static" specifier should help the compiler / linker
to calculate the correct jumps, but the disassembler shows that it does
not.
The problem can be solved easily by wrapping the function name and calls
with PREV(...), as done in other places:
There are other static function declarations in pcre_jit_compile.c. I
have not explicitly tested those so I can not say if they are
potentially problematic. It certainly does not harm to wrap all those
functions - only does the code become slightly less legible.