Revision: 1526
http://vcs.pcre.org/viewvc?view=rev&revision=1526
Author: ph10
Date: 2015-02-20 10:51:07 +0000 (Fri, 20 Feb 2015)
Log Message:
-----------
Fixed two pcretest crashes caused by mangled input (the fuzzers are at work).
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcretest.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-02-11 16:48:35 UTC (rev 1525)
+++ code/trunk/ChangeLog 2015-02-20 10:51:07 UTC (rev 1526)
@@ -4,30 +4,30 @@
Version 8.37 xx-xxx-2015
------------------------
-1. When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
- for those parentheses to be closed with whatever has been captured so far.
- However, it was failing to mark any other groups between the hightest
- capture so far and the currrent group as "unset". Thus, the ovector for
- those groups contained whatever was previously there. An example is the
+1. When an (*ACCEPT) is triggered inside capturing parentheses, it arranges
+ for those parentheses to be closed with whatever has been captured so far.
+ However, it was failing to mark any other groups between the hightest
+ capture so far and the currrent group as "unset". Thus, the ovector for
+ those groups contained whatever was previously there. An example is the
pattern /(x)|((*ACCEPT))/ when matched against "abcd".
-
-2. If an assertion condition was quantified with a minimum of zero (an odd
- thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
-
+
+2. If an assertion condition was quantified with a minimum of zero (an odd
+ thing to do, but it happened), SIGSEGV or other misbehaviour could occur.
+
3. If a pattern in pcretest input had the P (POSIX) modifier followed by an
- unrecognized modifier, a crash could occur.
-
+ unrecognized modifier, a crash could occur.
+
4. An attempt to do global matching in pcretest with a zero-length ovector
- caused a crash.
-
+ caused a crash.
+
5. Fixed a memory leak during matching that could occur for a subpattern
subroutine call (recursive or otherwise) if the number of captured groups
that had to be saved was greater than ten.
-
+
6. Catch a bad opcode during auto-possessification after compiling a bad UTF
string with NO_UTF_CHECK. This is a tidyup, not a bug fix, as passing bad
- UTF with NO_UTF_CHECK is documented as having an undefined outcome.
-
+ UTF with NO_UTF_CHECK is documented as having an undefined outcome.
+
7. A UTF pattern containing a "not" match of a non-ASCII character and a
subroutine reference could loop at compile time. Example: /[^\xff]((?1))/.
@@ -65,7 +65,17 @@
failed to allow the zero-repeat case if pcre2_exec() was called with an
ovector too small to capture the group.
+13. Fixed two bugs in pcretest that were discovered by fuzzing and reported by
+ Red Hat Product Security:
+ (a) A crash if /K and /F were both set with the option to save the compiled
+ pattern.
+
+ (b) Another crash if the option to print captured substrings in a callout
+ was combined with setting a null ovector, for example \O\C+ as a subject
+ string.
+
+
Version 8.36 26-September-2014
------------------------------
Modified: code/trunk/pcretest.c
===================================================================
--- code/trunk/pcretest.c 2015-02-11 16:48:35 UTC (rev 1525)
+++ code/trunk/pcretest.c 2015-02-20 10:51:07 UTC (rev 1526)
@@ -2257,18 +2257,21 @@
fprintf(f, "Callout %d: last capture = %d\n",
cb->callout_number, cb->capture_last);
- for (i = 0; i < cb->capture_top * 2; i += 2)
- {
- if (cb->offset_vector[i] < 0)
- fprintf(f, "%2d: <unset>\n", i/2);
- else
+ if (cb->offset_vector != NULL)
+ {
+ for (i = 0; i < cb->capture_top * 2; i += 2)
{
- fprintf(f, "%2d: ", i/2);
- PCHARSV(cb->subject, cb->offset_vector[i],
- cb->offset_vector[i+1] - cb->offset_vector[i], f);
- fprintf(f, "\n");
+ if (cb->offset_vector[i] < 0)
+ fprintf(f, "%2d: <unset>\n", i/2);
+ else
+ {
+ fprintf(f, "%2d: ", i/2);
+ PCHARSV(cb->subject, cb->offset_vector[i],
+ cb->offset_vector[i+1] - cb->offset_vector[i], f);
+ fprintf(f, "\n");
+ }
}
- }
+ }
}
/* Re-print the subject in canonical form, the first time or if giving full
@@ -2519,7 +2522,7 @@
re->name_count = swap_uint16(re->name_count);
re->ref_count = swap_uint16(re->ref_count);
-if (extra != NULL)
+if (extra != NULL && (extra->flags & PCRE_EXTRA_STUDY_DATA) != 0)
{
pcre_study_data *rsd = (pcre_study_data *)(extra->study_data);
rsd->size = swap_uint32(rsd->size);
@@ -2700,7 +2703,7 @@
re->name_count = swap_uint16(re->name_count);
re->ref_count = swap_uint16(re->ref_count);
-if (extra != NULL)
+if (extra != NULL && (extra->flags & PCRE_EXTRA_STUDY_DATA) != 0)
{
pcre_study_data *rsd = (pcre_study_data *)(extra->study_data);
rsd->size = swap_uint32(rsd->size);
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-02-11 16:48:35 UTC (rev 1525)
+++ code/trunk/testdata/testinput2 2015-02-20 10:51:07 UTC (rev 1526)
@@ -1380,6 +1380,8 @@
1X
123456\P
+//KF>/dev/null
+
/abc/IS>testsavedregex
<testsavedregex
abc
@@ -4121,4 +4123,7 @@
g
g\O3
+//C
+ \O\C+
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-02-11 16:48:35 UTC (rev 1525)
+++ code/trunk/testdata/testoutput2 2015-02-20 10:51:07 UTC (rev 1526)
@@ -5614,6 +5614,10 @@
123456\P
No match
+//KF>/dev/null
+Compiled pattern written to /dev/null
+Study data written to /dev/null
+
/abc/IS>testsavedregex
Capturing subpattern count = 0
No options
@@ -14309,4 +14313,11 @@
Matched, but too many substrings
0: g
+//C
+ \O\C+
+Callout 255: last capture = -1
+--->
+ +0 ^
+Matched, but too many substrings
+
/-- End of testinput2 --/