Revision: 1538
http://vcs.pcre.org/viewvc?view=rev&revision=1538
Author: ph10
Date: 2015-03-29 12:22:24 +0100 (Sun, 29 Mar 2015)
Log Message:
-----------
Fix comment between subroutine call and quantifier bug.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput1
code/trunk/testdata/testoutput1
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-03-27 17:48:28 UTC (rev 1537)
+++ code/trunk/ChangeLog 2015-03-29 11:22:24 UTC (rev 1538)
@@ -127,7 +127,12 @@
other kinds of group caused stack overflow at compile time. This bug was
discovered by the LLVM fuzzer.
+32. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
+ between a subroutine call and its quantifier was incorrectly compiled,
+ leading to buffer overflow or other errors. This bug was discovered by the
+ LLVM fuzzer.
+
Version 8.36 26-September-2014
------------------------------
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-03-27 17:48:28 UTC (rev 1537)
+++ code/trunk/pcre_compile.c 2015-03-29 11:22:24 UTC (rev 1538)
@@ -6472,15 +6472,25 @@
parenthesis forms. */
case CHAR_LEFT_PARENTHESIS:
- newoptions = options;
- skipbytes = 0;
- bravalue = OP_CBRA;
- save_hwm_offset = cd->hwm - cd->start_workspace;
- reset_bracount = FALSE;
+ ptr++;
- /* First deal with various "verbs" that can be introduced by '*'. */
+ /* First deal with comments. Putting this code right at the start ensures
+ that comments have no bad side effects. */
+
+ if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN)
+ {
+ ptr += 2;
+ while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
+ if (*ptr == CHAR_NULL)
+ {
+ *errorcodeptr = ERR18;
+ goto FAILED;
+ }
+ continue;
+ }
- ptr++;
+ /* Now deal with various "verbs" that can be introduced by '*'. */
+
if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
|| (MAX_255(ptr[1]) && ((cd->ctypes[ptr[1]] & ctype_letter) != 0))))
{
@@ -6601,10 +6611,18 @@
goto FAILED;
}
+ /* Initialize for "real" parentheses */
+
+ newoptions = options;
+ skipbytes = 0;
+ bravalue = OP_CBRA;
+ save_hwm_offset = cd->hwm - cd->start_workspace;
+ reset_bracount = FALSE;
+
/* Deal with the extended parentheses; all are introduced by '?', and the
appearance of any of them means that this is not a capturing group. */
- else if (*ptr == CHAR_QUESTION_MARK)
+ if (*ptr == CHAR_QUESTION_MARK)
{
int i, set, unset, namelen;
int *optset;
@@ -6613,17 +6631,6 @@
switch (*(++ptr))
{
- case CHAR_NUMBER_SIGN: /* Comment; skip to ket */
- ptr++;
- while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
- if (*ptr == CHAR_NULL)
- {
- *errorcodeptr = ERR18;
- goto FAILED;
- }
- continue;
-
-
/* ------------------------------------------------------------ */
case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */
reset_bracount = TRUE;
Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1 2015-03-27 17:48:28 UTC (rev 1537)
+++ code/trunk/testdata/testinput1 2015-03-29 11:22:24 UTC (rev 1538)
@@ -5727,4 +5727,7 @@
"Z*(|d*){216}"
+"(?1)(?#?'){8}(a)"
+ baaaaaaaaac
+
/-- End of testinput1 --/
Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1 2015-03-27 17:48:28 UTC (rev 1537)
+++ code/trunk/testdata/testoutput1 2015-03-29 11:22:24 UTC (rev 1538)
@@ -9424,4 +9424,9 @@
"Z*(|d*){216}"
+"(?1)(?#?'){8}(a)"
+ baaaaaaaaac
+ 0: aaaaaaaaa
+ 1: a
+
/-- End of testinput1 --/
