Revision: 1529
http://vcs.pcre.org/viewvc?view=rev&revision=1529
Author: ph10
Date: 2015-03-02 17:09:58 +0000 (Mon, 02 Mar 2015)
Log Message:
-----------
Fix bad compilation for patterns like /((?+1)(\1))/ with forward reference
subroutine and recursive back reference within the same group.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput11
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput11-16
code/trunk/testdata/testoutput11-32
code/trunk/testdata/testoutput11-8
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/ChangeLog 2015-03-02 17:09:58 UTC (rev 1529)
@@ -82,6 +82,11 @@
previously-checked referenced subpattern not found" when an incorrect
memory address was read. This bug was reported as "heap overflow",
discovered by Kai Lu of Fortinet's FortiGuard Labs.
+
+23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
+ call within a group that also contained a recursive back reference caused
+ incorrect code to be compiled. This bug was reported as "heap overflow",
+ discovered by Kai Lu of Fortinet's FortiGuard Labs.
Version 8.36 26-September-2014
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/pcre_compile.c 2015-03-02 17:09:58 UTC (rev 1529)
@@ -8103,6 +8103,7 @@
unsigned int orig_bracount;
unsigned int max_bracount;
branch_chain bc;
+size_t save_hwm_offset;
/* If set, call the external function that checks for stack availability. */
@@ -8120,6 +8121,8 @@
firstchar = reqchar = 0;
firstcharflags = reqcharflags = REQ_UNSET;
+save_hwm_offset = cd->hwm - cd->start_workspace;
+
/* Accumulate the length for use in the pre-compile phase. Start with the
length of the BRA and KET and any extra bytes that are required at the
beginning. We accumulate in a local variable to save frequent testing of
@@ -8322,7 +8325,7 @@
{
*code = OP_END;
adjust_recurse(start_bracket, 1 + LINK_SIZE,
- (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace);
+ (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
IN_UCHARS(code - start_bracket));
*start_bracket = OP_ONCE;
Modified: code/trunk/testdata/testinput11
===================================================================
--- code/trunk/testdata/testinput11 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testinput11 2015-03-02 17:09:58 UTC (rev 1529)
@@ -134,4 +134,6 @@
/(((a\2)|(a*)\g<-1>))*a?/B
+/((?+1)(\1))/B
+
/-- End of testinput11 --/
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testinput2 2015-03-02 17:09:58 UTC (rev 1529)
@@ -4128,4 +4128,6 @@
"((?2){0,1999}())?"
+/((?+1)(\1))/BZ
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput11-16
===================================================================
--- code/trunk/testdata/testoutput11-16 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testoutput11-16 2015-03-02 17:09:58 UTC (rev 1529)
@@ -733,4 +733,19 @@
41 End
------------------------------------------------------------------
+/((?+1)(\1))/B
+------------------------------------------------------------------
+ 0 20 Bra
+ 2 16 Once
+ 4 12 CBra 1
+ 7 9 Recurse
+ 9 5 CBra 2
+ 12 \1
+ 14 5 Ket
+ 16 12 Ket
+ 18 16 Ket
+ 20 20 Ket
+ 22 End
+------------------------------------------------------------------
+
/-- End of testinput11 --/
Modified: code/trunk/testdata/testoutput11-32
===================================================================
--- code/trunk/testdata/testoutput11-32 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testoutput11-32 2015-03-02 17:09:58 UTC (rev 1529)
@@ -733,4 +733,19 @@
41 End
------------------------------------------------------------------
+/((?+1)(\1))/B
+------------------------------------------------------------------
+ 0 20 Bra
+ 2 16 Once
+ 4 12 CBra 1
+ 7 9 Recurse
+ 9 5 CBra 2
+ 12 \1
+ 14 5 Ket
+ 16 12 Ket
+ 18 16 Ket
+ 20 20 Ket
+ 22 End
+------------------------------------------------------------------
+
/-- End of testinput11 --/
Modified: code/trunk/testdata/testoutput11-8
===================================================================
--- code/trunk/testdata/testoutput11-8 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testoutput11-8 2015-03-02 17:09:58 UTC (rev 1529)
@@ -733,4 +733,19 @@
60 End
------------------------------------------------------------------
+/((?+1)(\1))/B
+------------------------------------------------------------------
+ 0 31 Bra
+ 3 25 Once
+ 6 19 CBra 1
+ 11 14 Recurse
+ 14 8 CBra 2
+ 19 \1
+ 22 8 Ket
+ 25 19 Ket
+ 28 25 Ket
+ 31 31 Ket
+ 34 End
+------------------------------------------------------------------
+
/-- End of testinput11 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-02-28 11:48:09 UTC (rev 1528)
+++ code/trunk/testdata/testoutput2 2015-03-02 17:09:58 UTC (rev 1529)
@@ -14322,4 +14322,19 @@
"((?2){0,1999}())?"
+/((?+1)(\1))/BZ
+------------------------------------------------------------------
+ Bra
+ Once
+ CBra 1
+ Recurse
+ CBra 2
+ \1
+ Ket
+ Ket
+ Ket
+ Ket
+ End
+------------------------------------------------------------------
+
/-- End of testinput2 --/
