[Pcre-svn] [1536] code/trunk: Fix memory bug for [\S\V\H] co…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1536] code/trunk: Fix memory bug for [\S\V\H] compile.
Revision: 1536
          http://vcs.pcre.org/viewvc?view=rev&revision=1536
Author:   ph10
Date:     2015-03-27 16:44:50 +0000 (Fri, 27 Mar 2015)


Log Message:
-----------
Fix memory bug for [\S\V\H] compile. 

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput4
    code/trunk/testdata/testoutput4


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-03-25 16:51:51 UTC (rev 1535)
+++ code/trunk/ChangeLog    2015-03-27 16:44:50 UTC (rev 1536)
@@ -115,6 +115,13 @@
     possessification code could take exponential time to complete. A recursion 
     depth limit of 1000 has been imposed to limit the resources used by this 
     optimization.
+    
+30. A pattern such as /(*UTF)[\S\V\H]/, which contains a negated special class
+    such as \S in non-UCP mode, explicit wide characters (> 255) can be ignored
+    because \S ensures they are all in the class. The code for doing this was
+    interacting badly with the code for computing the amount of space needed to
+    compile the pattern, leading to a buffer overflow. This bug was discovered
+    by the LLVM fuzzer.



Version 8.36 26-September-2014 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-03-25 16:51:51 UTC (rev 1535)
+++ code/trunk/pcre_compile.c    2015-03-27 16:44:50 UTC (rev 1536)
@@ -5520,6 +5520,12 @@
       }
 #endif


+    /* Even though any XCLASS list is now discarded, we must allow for
+    its memory. */
+
+    if (lengthptr != NULL)
+      *lengthptr += (int)(class_uchardata - class_uchardata_base);
+
     /* If there are no characters > 255, or they are all to be included or
     excluded, set the opcode to OP_CLASS or OP_NCLASS, depending on whether the
     whole class was negated and whether there were negative specials such as \S
@@ -8560,7 +8566,7 @@
        case OP_RREF:
        case OP_DNRREF:
        case OP_DEF:
-       case OP_FAIL: 
+       case OP_FAIL:
        return FALSE;


        default:     /* Assertion */


Modified: code/trunk/testdata/testinput4
===================================================================
--- code/trunk/testdata/testinput4    2015-03-25 16:51:51 UTC (rev 1535)
+++ code/trunk/testdata/testinput4    2015-03-27 16:44:50 UTC (rev 1536)
@@ -722,4 +722,6 @@
 /^#[^\x{ffff}]#[^\x{ffff}]#[^\x{ffff}]#/8
     #\x{10000}#\x{100}#\x{10ffff}#


+"[\S\V\H]"8
+
/-- End of testinput4 --/ 

Modified: code/trunk/testdata/testoutput4
===================================================================
--- code/trunk/testdata/testoutput4    2015-03-25 16:51:51 UTC (rev 1535)
+++ code/trunk/testdata/testoutput4    2015-03-27 16:44:50 UTC (rev 1536)
@@ -1271,4 +1271,6 @@
     #\x{10000}#\x{100}#\x{10ffff}#
  0: #\x{10000}#\x{100}#\x{10ffff}#


+"[\S\V\H]"8
+
/-- End of testinput4 --/

This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [233] code/trunk: Fix bad memory computation for "(*UTF)[\S\V\H]" ( a pattern with a negative[Pcre-svn] [234] code/trunk: Fix mutual recursion inside other parentheses stack overflow bug.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)