Revision: 1540
http://vcs.pcre.org/viewvc?view=rev&revision=1540
Author: ph10
Date: 2015-03-29 18:41:16 +0100 (Sun, 29 Mar 2015)
Log Message:
-----------
Fix possessive quantifier after group containing subroutine call.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-03-29 15:44:40 UTC (rev 1539)
+++ code/trunk/ChangeLog 2015-03-29 17:41:16 UTC (rev 1540)
@@ -137,7 +137,12 @@
(?(?< for the ! or = that would indicate a lookbehind assertion. This bug
was discovered by the LLVM fuzzer.
+34. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
+ a fixed maximum following a group that contains a subroutine reference was
+ incorrectly compiled and could trigger buffer overflow. This bug was
+ discovered by the LLVM fuzzer.
+
Version 8.36 26-September-2014
------------------------------
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-03-29 15:44:40 UTC (rev 1539)
+++ code/trunk/pcre_compile.c 2015-03-29 17:41:16 UTC (rev 1540)
@@ -5924,6 +5924,7 @@
{
register int i;
int len = (int)(code - previous);
+ size_t base_hwm_offset = save_hwm_offset;
pcre_uchar *bralink = NULL;
pcre_uchar *brazeroptr = NULL;
@@ -6070,20 +6071,20 @@
while (cd->hwm > cd->start_workspace + cd->workspace_size -
WORK_SIZE_SAFETY_MARGIN -
- (this_hwm_offset - save_hwm_offset))
+ (this_hwm_offset - base_hwm_offset))
{
*errorcodeptr = expand_workspace(cd);
if (*errorcodeptr != 0) goto FAILED;
}
- for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
+ for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset;
hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
hc += LINK_SIZE)
{
PUT(cd->hwm, 0, GET(hc, 0) + len);
cd->hwm += LINK_SIZE;
}
- save_hwm_offset = this_hwm_offset;
+ base_hwm_offset = this_hwm_offset;
code += len;
}
}
@@ -6151,20 +6152,20 @@
while (cd->hwm > cd->start_workspace + cd->workspace_size -
WORK_SIZE_SAFETY_MARGIN -
- (this_hwm_offset - save_hwm_offset))
+ (this_hwm_offset - base_hwm_offset))
{
*errorcodeptr = expand_workspace(cd);
if (*errorcodeptr != 0) goto FAILED;
}
- for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset;
+ for (hc = (pcre_uchar *)cd->start_workspace + base_hwm_offset;
hc < (pcre_uchar *)cd->start_workspace + this_hwm_offset;
hc += LINK_SIZE)
{
PUT(cd->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
cd->hwm += LINK_SIZE;
}
- save_hwm_offset = this_hwm_offset;
+ base_hwm_offset = this_hwm_offset;
code += len;
}
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-03-29 15:44:40 UTC (rev 1539)
+++ code/trunk/testdata/testinput2 2015-03-29 17:41:16 UTC (rev 1540)
@@ -4138,4 +4138,8 @@
"(?(?<E>.*!.*)?)"
+"X((?2)()*+){2}+"BZ
+
+"X((?2)()*+){2}"BZ
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-03-29 15:44:40 UTC (rev 1539)
+++ code/trunk/testdata/testoutput2 2015-03-29 17:41:16 UTC (rev 1540)
@@ -14348,4 +14348,46 @@
"(?(?<E>.*!.*)?)"
Failed: assertion expected after (?( at offset 3
+"X((?2)()*+){2}+"BZ
+------------------------------------------------------------------
+ Bra
+ X
+ Once
+ CBra 1
+ Recurse
+ Braposzero
+ SCBraPos 2
+ KetRpos
+ Ket
+ CBra 1
+ Recurse
+ Braposzero
+ SCBraPos 2
+ KetRpos
+ Ket
+ Ket
+ Ket
+ End
+------------------------------------------------------------------
+
+"X((?2)()*+){2}"BZ
+------------------------------------------------------------------
+ Bra
+ X
+ CBra 1
+ Recurse
+ Braposzero
+ SCBraPos 2
+ KetRpos
+ Ket
+ CBra 1
+ Recurse
+ Braposzero
+ SCBraPos 2
+ KetRpos
+ Ket
+ Ket
+ End
+------------------------------------------------------------------
+
/-- End of testinput2 --/
