Revision: 1534
http://vcs.pcre.org/viewvc?view=rev&revision=1534
Author: ph10
Date: 2015-03-24 10:33:21 +0000 (Tue, 24 Mar 2015)
Log Message:
-----------
Fix bugs caused by (?!) as a condition (which is converted to OP_FAIL).
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/pcre_dfa_exec.c
code/trunk/pcre_exec.c
code/trunk/testdata/testinput2
code/trunk/testdata/testinput8
code/trunk/testdata/testoutput2
code/trunk/testdata/testoutput8
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/ChangeLog 2015-03-24 10:33:21 UTC (rev 1534)
@@ -81,12 +81,14 @@
code to be compiled, leading to the error "internal error:
previously-checked referenced subpattern not found" when an incorrect
memory address was read. This bug was reported as "heap overflow",
- discovered by Kai Lu of Fortinet's FortiGuard Labs.
+ discovered by Kai Lu of Fortinet's FortiGuard Labs and given the CVE number
+ CVE-2015-2325.
23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
call within a group that also contained a recursive back reference caused
incorrect code to be compiled. This bug was reported as "heap overflow",
- discovered by Kai Lu of Fortinet's FortiGuard Labs.
+ discovered by Kai Lu of Fortinet's FortiGuard Labs, and given the CVE
+ number CVE-2015-2326.
24. Computing the size of the JIT read-only data in advance has been a source
of various issues, and new ones are still appear unfortunately. To fix
@@ -100,8 +102,16 @@
26. Fix JIT compilation of conditional blocks, which assertion
is converted to (*FAIL). E.g: /(?(?!))/.
+
+27. The pattern /(?(?!)^)/ caused references to random memory. This bug was
+ discovered by the LLVM fuzzer.
+28. The assertion (?!) is optimized to (*FAIL). This was not handled correctly
+ when this assertion was used as a condition, for example (?(?!)a|b). In
+ pcre2_match() it worked by luck; in pcre2_dfa_match() it gave an incorrect
+ error about an unsupported item.
+
Version 8.36 26-September-2014
------------------------------
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/pcre_compile.c 2015-03-24 10:33:21 UTC (rev 1534)
@@ -8553,6 +8553,7 @@
case OP_RREF:
case OP_DNRREF:
case OP_DEF:
+ case OP_FAIL:
return FALSE;
default: /* Assertion */
Modified: code/trunk/pcre_dfa_exec.c
===================================================================
--- code/trunk/pcre_dfa_exec.c 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/pcre_dfa_exec.c 2015-03-24 10:33:21 UTC (rev 1534)
@@ -2736,9 +2736,10 @@
condcode == OP_DNRREF)
return PCRE_ERROR_DFA_UCOND;
- /* The DEFINE condition is always false */
+ /* The DEFINE condition is always false, and the assertion (?!) is
+ converted to OP_FAIL. */
- if (condcode == OP_DEF)
+ if (condcode == OP_DEF || condcode == OP_FAIL)
{ ADD_ACTIVE(state_offset + codelink + LINK_SIZE + 1, 0); }
/* The only supported version of OP_RREF is for the value RREF_ANY,
Modified: code/trunk/pcre_exec.c
===================================================================
--- code/trunk/pcre_exec.c 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/pcre_exec.c 2015-03-24 10:33:21 UTC (rev 1534)
@@ -1376,6 +1376,7 @@
break;
case OP_DEF: /* DEFINE - always false */
+ case OP_FAIL: /* From optimized (?!) condition */
break;
/* The condition is an assertion. Call match() to evaluate it - setting
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/testdata/testinput2 2015-03-24 10:33:21 UTC (rev 1534)
@@ -4130,4 +4130,8 @@
/((?+1)(\1))/BZ
+/(?(?!)a|b)/
+ bbb
+ aaa
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testinput8
===================================================================
--- code/trunk/testdata/testinput8 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/testdata/testinput8 2015-03-24 10:33:21 UTC (rev 1534)
@@ -4837,4 +4837,8 @@
'\A(?:[^\"]++|\"(?:[^\"]++|\"\")*+\")++'
NON QUOTED \"QUOT\"\"ED\" AFTER \"NOT MATCHED
+/(?(?!)a|b)/
+ bbb
+ aaa
+
/-- End of testinput8 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/testdata/testoutput2 2015-03-24 10:33:21 UTC (rev 1534)
@@ -14337,4 +14337,10 @@
End
------------------------------------------------------------------
+/(?(?!)a|b)/
+ bbb
+ 0: b
+ aaa
+No match
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput8
===================================================================
--- code/trunk/testdata/testoutput8 2015-03-24 08:22:29 UTC (rev 1533)
+++ code/trunk/testdata/testoutput8 2015-03-24 10:33:21 UTC (rev 1534)
@@ -7785,4 +7785,10 @@
NON QUOTED \"QUOT\"\"ED\" AFTER \"NOT MATCHED
0: NON QUOTED "QUOT""ED" AFTER
+/(?(?!)a|b)/
+ bbb
+ 0: b
+ aaa
+No match
+
/-- End of testinput8 --/
