[Pcre-svn] [235] code/trunk: Fix comment between recursion and quantifier bug.

Author: Subversion repository
Date:
To: pcre-svn
Subject: [Pcre-svn] [235] code/trunk: Fix comment between recursion and quantifier bug.

Revision: 235

          http://www.exim.org/viewvc/pcre2?view=rev&revision=235
Author:   ph10
Date:     2015-03-29 12:15:32 +0100 (Sun, 29 Mar 2015)

Log Message:
-----------
Fix comment between recursion and quantifier bug.

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput1
    code/trunk/testdata/testinput8
    code/trunk/testdata/testoutput1
    code/trunk/testdata/testoutput8-16
    code/trunk/testdata/testoutput8-32
    code/trunk/testdata/testoutput8-8

Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/ChangeLog    2015-03-29 11:15:32 UTC (rev 235)
@@ -41,7 +41,11 @@
 other kinds of group caused stack overflow at compile time. This bug was
 discovered by the LLVM fuzzer.

+11. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
+between a subroutine call and its quantifier was incorrectly compiled, leading
+to buffer overflow or other errors. This bug was discovered by the LLVM fuzzer.

+
Version 10.10 06-March-2015
---------------------------

Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/src/pcre2_compile.c    2015-03-29 11:15:32 UTC (rev 235)
@@ -5025,15 +5025,25 @@
     an offset rather than an absolute address. */

     case CHAR_LEFT_PARENTHESIS:
-    newoptions = options;
-    skipbytes = 0;
-    bravalue = OP_CBRA;
-    save_hwm_offset = cb->hwm - cb->start_workspace;
-    reset_bracount = FALSE;
+    ptr++;

-    /* First deal with various "verbs" that can be introduced by '*'. */
+    /* First deal with comments. Putting this code right at the start ensures
+    that comments have no bad side effects. */
+    
+    if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN)
+      {   
+      ptr += 2;
+      while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
+      if (*ptr != CHAR_RIGHT_PARENTHESIS)
+        {
+        *errorcodeptr = ERR18;
+        goto FAILED;
+        }
+      continue;
+      }

-    ptr++;
+    /* Now deal with various "verbs" that can be introduced by '*'. */
+
     if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
          || (MAX_255(ptr[1]) && ((cb->ctypes[ptr[1]] & ctype_letter) != 0))))
       {
@@ -5153,11 +5163,19 @@
       *errorcodeptr = ERR60;          /* Verb not recognized */
       goto FAILED;
       }
+      
+    /* Initialization for "real" parentheses */

+    newoptions = options;
+    skipbytes = 0;
+    bravalue = OP_CBRA;
+    save_hwm_offset = cb->hwm - cb->start_workspace;
+    reset_bracount = FALSE;
+
     /* Deal with the extended parentheses; all are introduced by '?', and the
     appearance of any of them means that this is not a capturing group. */

-    else if (*ptr == CHAR_QUESTION_MARK)
+    if (*ptr == CHAR_QUESTION_MARK)
       {
       int i, set, unset, namelen;
       int *optset;
@@ -5166,17 +5184,6 @@

       switch (*(++ptr))
         {
-        case CHAR_NUMBER_SIGN:                 /* Comment; skip to ket */
-        ptr++;
-        while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
-        if (*ptr != CHAR_RIGHT_PARENTHESIS)
-          {
-          *errorcodeptr = ERR18;
-          goto FAILED;
-          }
-        continue;
-
-
         /* ------------------------------------------------------------ */
         case CHAR_VERTICAL_LINE:  /* Reset capture count for each branch */
         reset_bracount = TRUE;
@@ -5188,7 +5195,6 @@
         ptr++;
         break;

-
         /* ------------------------------------------------------------ */
         case CHAR_LEFT_PARENTHESIS:
         bravalue = OP_COND;       /* Conditional group */

Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testinput1    2015-03-29 11:15:32 UTC (rev 235)
@@ -5712,4 +5712,7 @@

"Z*(|d*){216}"

+"(?1)(?#?'){8}(a)"
+    baaaaaaaaac
+
 # End of testinput1

Modified: code/trunk/testdata/testinput8
===================================================================
--- code/trunk/testdata/testinput8    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testinput8    2015-03-29 11:15:32 UTC (rev 235)
@@ -140,4 +140,6 @@

/((?+1)(\1))/

+"(?1)(?#?'){2}(a)"
+
# End of testinput8

Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testoutput1    2015-03-29 11:15:32 UTC (rev 235)
@@ -9422,4 +9422,9 @@

"Z*(|d*){216}"

+"(?1)(?#?'){8}(a)"
+    baaaaaaaaac
+ 0: aaaaaaaaa
+ 1: a
+
 # End of testinput1

Modified: code/trunk/testdata/testoutput8-16
===================================================================
--- code/trunk/testdata/testoutput8-16    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testoutput8-16    2015-03-29 11:15:32 UTC (rev 235)
@@ -754,4 +754,20 @@
  22     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  21 Bra
+  2   4 Once
+  4  14 Recurse
+  6   4 Ket
+  8   4 Once
+ 10  14 Recurse
+ 12   4 Ket
+ 14   5 CBra 1
+ 17     a
+ 19   5 Ket
+ 21  21 Ket
+ 23     End
+------------------------------------------------------------------
+
 # End of testinput8

Modified: code/trunk/testdata/testoutput8-32
===================================================================
--- code/trunk/testdata/testoutput8-32    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testoutput8-32    2015-03-29 11:15:32 UTC (rev 235)
@@ -754,4 +754,20 @@
  22     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  21 Bra
+  2   4 Once
+  4  14 Recurse
+  6   4 Ket
+  8   4 Once
+ 10  14 Recurse
+ 12   4 Ket
+ 14   5 CBra 1
+ 17     a
+ 19   5 Ket
+ 21  21 Ket
+ 23     End
+------------------------------------------------------------------
+
 # End of testinput8

Modified: code/trunk/testdata/testoutput8-8
===================================================================
--- code/trunk/testdata/testoutput8-8    2015-03-27 17:45:02 UTC (rev 234)
+++ code/trunk/testdata/testoutput8-8    2015-03-29 11:15:32 UTC (rev 235)
@@ -754,4 +754,20 @@
  34     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  31 Bra
+  3   6 Once
+  6  21 Recurse
+  9   6 Ket
+ 12   6 Once
+ 15  21 Recurse
+ 18   6 Ket
+ 21   7 CBra 1
+ 26     a
+ 28   7 Ket
+ 31  31 Ket
+ 34     End
+------------------------------------------------------------------
+
 # End of testinput8

This message is part of the following thread:
	the complete thread tree sorted by date

[Pcre-svn] [235] code/trunk: Fix comment between recursion a…