Revision: 264
http://www.exim.org/viewvc/pcre2?view=rev&revision=264
Author: ph10
Date: 2015-05-08 17:32:28 +0100 (Fri, 08 May 2015)
Log Message:
-----------
Fix repeated condition check by duplicated name bug.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-05-06 16:51:25 UTC (rev 263)
+++ code/trunk/ChangeLog 2015-05-08 16:32:28 UTC (rev 264)
@@ -111,7 +111,11 @@
For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/. This bug was
discovered by the LLVM fuzzer.
+28. A repeated conditional group whose condition was a reference by name caused
+a buffer overflow if there was more than one group with the given name. This
+bug was discovered by the LLVM fuzzer.
+
Version 10.10 06-March-2015
---------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2015-05-06 16:51:25 UTC (rev 263)
+++ code/trunk/src/pcre2_compile.c 2015-05-08 16:32:28 UTC (rev 264)
@@ -5425,7 +5425,8 @@
the referenced name is one of a number of duplicates, a different
opcode is used and it needs more memory. Unfortunately we cannot tell
whether this is the case in the first pass, so we have to allow for
- more memory always. */
+ more memory always. In the second pass, the additional to skipunits
+ happens later. */
else
{
@@ -5445,7 +5446,7 @@
ptr++;
}
namelen = (int)(ptr - name);
- if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
+ if (lengthptr != NULL) skipunits += IMM2_SIZE;
}
/* Check the terminator */
@@ -8010,8 +8011,6 @@
error, errorcode will be set non-zero, so we don't need to look at the result
of the function here. */
-/* fprintf(stderr, "+++\n\nPASS TWO\n"); */
-
ptr = pattern + skipatstart;
code = (PCRE2_UCHAR *)codestart;
*code = OP_BRA;
@@ -8068,9 +8067,6 @@
cb.hwm -= LINK_SIZE;
offset = GET(cb.hwm, 0);
recno = GET(codestart, offset);
-
-/* fprintf(stderr, "+++offset=%d recno=%d\n", offset, recno); */
-
if (recno != prev_recno)
{
groupptr = PRIV(find_bracket)(codestart, utf, recno);
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-05-06 16:51:25 UTC (rev 263)
+++ code/trunk/testdata/testinput2 2015-05-08 16:32:28 UTC (rev 264)
@@ -4298,4 +4298,12 @@
/\V\x85\9*+((?2)\3++()2)*:2/
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/dupnames
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/dupnames
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
+/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?''8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?''))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-05-06 16:51:25 UTC (rev 263)
+++ code/trunk/testdata/testoutput2 2015-05-08 16:32:28 UTC (rev 264)
@@ -14397,4 +14397,12 @@
/\V\x85\9*+((?2)\3++()2)*:2/
Failed: error 115 at offset 26: reference to non-existent subpattern
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/dupnames
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/dupnames
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
+/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?''8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?''))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
+
# End of testinput2
