[pcre-dev] [Bug 1546] Heap buffer overflow in pcregrep

Top Page
Delete this message
Author: Philip Hazel
Date:  
To: pcre-dev
Subject: [pcre-dev] [Bug 1546] Heap buffer overflow in pcregrep
------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1546

Philip Hazel <ph10@???> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED





--- Comment #1 from Philip Hazel <ph10@???> 2014-11-19 11:01:36 ---
Thank you for this report. The bug was actually in the PCRE library, not in
pcregrep. It was provoked by the use of an assertion with a zero minimum repeat
as the condition in a conditional group. (I always thought allowing quantifiers
on assertions was crazy, but Perl allows them, so PCRE does - though I see that
Perl does not allow this particular case. Sigh.)

The fix is a simple one-line-of-code patch to pcre_exec.c. I have committed
this patch to the repository.

--- pcre_exec.c (revision 1512)
+++ pcre_exec.c (working copy)
@@ -1404,8 +1404,11 @@
         condition = TRUE;


         /* Advance ecode past the assertion to the start of the first branch,
-        but adjust it so that the general choosing code below works. */
-
+        but adjust it so that the general choosing code below works. If the 
+        assertion has a quantifier that allows zero repeats we must skip over 
+        the BRAZERO. This is a lunatic thing to do, but somebody did! */
+        
+        if (*ecode == OP_BRAZERO) ecode++; 
         ecode += GET(ecode, 1);
         while (*ecode == OP_ALT) ecode += GET(ecode, 1);
         ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];



--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email