Revision: 212
http://www.exim.org/viewvc/pcre2?view=rev&revision=212
Author: ph10
Date: 2015-03-01 18:34:05 +0000 (Sun, 01 Mar 2015)
Log Message:
-----------
Fix compile error for forward reference subroutine call within a group that
also contained a recursive back reference.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testinput8
code/trunk/testdata/testoutput2
code/trunk/testdata/testoutput8-16
code/trunk/testdata/testoutput8-32
code/trunk/testdata/testoutput8-8
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/ChangeLog 2015-03-01 18:34:05 UTC (rev 212)
@@ -105,7 +105,12 @@
This bug was reported as "heap overflow", discovered by Kai Lu of Fortinet's
FortiGuard Labs.
+23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
+call within a group that also contained a recursive back reference caused
+incorrect code to be compiled. This bug was reported as "heap overflow",
+discovered by Kai Lu of Fortinet's FortiGuard Labs.
+
Version 10.00 05-January-2015
-----------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/src/pcre2_compile.c 2015-03-01 18:34:05 UTC (rev 212)
@@ -6713,6 +6713,7 @@
uint32_t branchfirstcu, branchreqcu;
int32_t branchfirstcuflags, branchreqcuflags;
size_t length;
+size_t save_hwm_offset;
unsigned int orig_bracount;
unsigned int max_bracount;
branch_chain bc;
@@ -6734,6 +6735,8 @@
firstcu = reqcu = 0;
firstcuflags = reqcuflags = REQ_UNSET;
+save_hwm_offset = cb->hwm - cb->start_workspace; /* hwm at start of group */
+
/* Accumulate the length for use in the pre-compile phase. Start with the
length of the BRA and KET and any extra code units that are required at the
beginning. We accumulate in a local variable to save frequent testing of
@@ -6939,7 +6942,7 @@
{
*code = OP_END;
adjust_recurse(start_bracket, 1 + LINK_SIZE,
- (options & PCRE2_UTF) != 0, cb, cb->hwm - cb->start_workspace);
+ (options & PCRE2_UTF) != 0, cb, save_hwm_offset);
memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
CU2BYTES(code - start_bracket));
*start_bracket = OP_ONCE;
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testinput2 2015-03-01 18:34:05 UTC (rev 212)
@@ -4172,8 +4172,10 @@
g
g\=ovector=1
-# This pattern showed up a compile-time bug
+# These two pattern showeds up compile-time bugs
"((?2){0,1999}())?"
+/((?+1)(\1))/B
+
# End of testinput2
Modified: code/trunk/testdata/testinput8
===================================================================
--- code/trunk/testdata/testinput8 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testinput8 2015-03-01 18:34:05 UTC (rev 212)
@@ -138,4 +138,6 @@
/(((a\2)|(a*)\g<-1>))*a?/
+/((?+1)(\1))/
+
# End of testinput8
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testoutput2 2015-03-01 18:34:05 UTC (rev 212)
@@ -13950,8 +13950,23 @@
Matched, but too many substrings
0: g
-# This pattern showed up a compile-time bug
+# These two pattern showeds up compile-time bugs
"((?2){0,1999}())?"
+/((?+1)(\1))/B
+------------------------------------------------------------------
+ Bra
+ Once
+ CBra 1
+ Recurse
+ CBra 2
+ \1
+ Ket
+ Ket
+ Ket
+ Ket
+ End
+------------------------------------------------------------------
+
# End of testinput2
Modified: code/trunk/testdata/testoutput8-16
===================================================================
--- code/trunk/testdata/testoutput8-16 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testoutput8-16 2015-03-01 18:34:05 UTC (rev 212)
@@ -739,4 +739,19 @@
41 End
------------------------------------------------------------------
+/((?+1)(\1))/
+------------------------------------------------------------------
+ 0 20 Bra
+ 2 16 Once
+ 4 12 CBra 1
+ 7 9 Recurse
+ 9 5 CBra 2
+ 12 \1
+ 14 5 Ket
+ 16 12 Ket
+ 18 16 Ket
+ 20 20 Ket
+ 22 End
+------------------------------------------------------------------
+
# End of testinput8
Modified: code/trunk/testdata/testoutput8-32
===================================================================
--- code/trunk/testdata/testoutput8-32 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testoutput8-32 2015-03-01 18:34:05 UTC (rev 212)
@@ -739,4 +739,19 @@
41 End
------------------------------------------------------------------
+/((?+1)(\1))/
+------------------------------------------------------------------
+ 0 20 Bra
+ 2 16 Once
+ 4 12 CBra 1
+ 7 9 Recurse
+ 9 5 CBra 2
+ 12 \1
+ 14 5 Ket
+ 16 12 Ket
+ 18 16 Ket
+ 20 20 Ket
+ 22 End
+------------------------------------------------------------------
+
# End of testinput8
Modified: code/trunk/testdata/testoutput8-8
===================================================================
--- code/trunk/testdata/testoutput8-8 2015-02-28 11:31:51 UTC (rev 211)
+++ code/trunk/testdata/testoutput8-8 2015-03-01 18:34:05 UTC (rev 212)
@@ -739,4 +739,19 @@
60 End
------------------------------------------------------------------
+/((?+1)(\1))/
+------------------------------------------------------------------
+ 0 31 Bra
+ 3 25 Once
+ 6 19 CBra 1
+ 11 14 Recurse
+ 14 8 CBra 2
+ 19 \1
+ 22 8 Ket
+ 25 19 Ket
+ 28 25 Ket
+ 31 31 Ket
+ 34 End
+------------------------------------------------------------------
+
# End of testinput8
