[pcre-dev] [Bug 1463] New: pcre-8.35 fails test with GCC 4.9

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1463
           Summary: pcre-8.35 fails test with GCC 4.9
           Product: PCRE
           Version: 8.35
          Platform: Other
               URL: http://gcc.gnu.org/gcc-4.9/changes.html
        OS/Version: Linux
            Status: NEW
          Severity: bug
          Priority: medium
         Component: Code
        AssignedTo: ph10@???
        ReportedBy: ppisar@???
                CC: pcre-dev@???

When using gcc version 4.9.0 20140409 (Red Hat 4.9.0-0.9) prerelease, pcre-8.35
fails some tests:

FAIL: RunTest
=============


PCRE C library tests using test data from ./testdata
PCRE version 8.35 2014-04-04

---- Testing 8-bit library ----

Test 1: Main functionality (Compatible with Perl >= 5.10)
  OK
  OK with study
  OK with JIT study
Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
--- ./testdata/testoutput2      2014-03-10 17:28:08.000000000 +0100
+++ testtry     2014-04-11 08:50:20.688000000 +0200
@@ -5821,13 +5821,16 @@
 No match

/a{11111111111111111111}/I
-Failed: number too big in {} quantifier at offset 22
+Capturing subpattern count = 0
+No options
+First char = 'a'
+No need char

/(){64294967295}/I
-Failed: number too big in {} quantifier at offset 14
+Failed: regular expression is too large at offset 15

/(){2,4294967295}/I
-Failed: number too big in {} quantifier at offset 15
+Failed: numbers out of order in {} quantifier at offset 15

"(?i:a)(?i:b)(?i:c)(?i:d)(?i:e)(?i:f)(?i:g)(?i:h)(?i:i)(?i:j)(k)(?i:l)A\1B"I
Capturing subpattern count = 1

This looks like a wrapping signed integer which is undefined in C language.

If I recompile with -fsanitize=undefined in CFLAGS and LDFLAGS (supported since
GCC 4.9), the test confirms an signed integer overflow:

$ ./RunTest 2

PCRE C library tests using test data from ./testdata
PCRE version 8.35 2014-04-04

---- Testing 8-bit library ----

Test 2: API, errors, internals, and non-Perl stuff (not UTF-8)
pcre_compile.c:1589:32: runtime error: signed integer overflow: 1111111111 * 10
cannot be represented in type 'int'
pcre_compile.c:1604:35: runtime error: signed integer overflow: 429496729 * 10
cannot be represented in type 'int'
OK
pcre_compile.c:1589:32: runtime error: signed integer overflow: 1111111111 * 10
cannot be represented in type 'int'
pcre_compile.c:1604:35: runtime error: signed integer overflow: 429496729 * 10
cannot be represented in type 'int'
OK with study
pcre_compile.c:1589:32: runtime error: signed integer overflow: 1111111111 * 10
cannot be represented in type 'int'
pcre_compile.c:1604:35: runtime error: signed integer overflow: 429496729 * 10
cannot be represented in type 'int'
OK with JIT study
[the same output for UTF-16 and UTF-32]

This is a bug in parsing numbers in "{min,max}" expression. E.g.:

                               HERE
                               ↓
while (IS_DIGIT(*p)) min = min * 10 + (int)(*p++ - CHAR_0);
if (min < 0 || min > 65535)
  {
  *errorcodeptr = ERR5;
  return p;
  }

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email