Revision: 1557
http://vcs.pcre.org/viewvc?view=rev&revision=1557
Author: ph10
Date: 2015-05-08 17:39:40 +0100 (Fri, 08 May 2015)
Log Message:
-----------
Fix buffer overflow for repeated conditional when referencing a duplicate name.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/ChangeLog 2015-05-08 16:39:40 UTC (rev 1557)
@@ -14,8 +14,12 @@
incorrect code to be compiled when recursive forward references were
involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
This bug was discovered by the LLVM fuzzer.
+
+3. A repeated conditional group whose condition was a reference by name caused
+ a buffer overflow if there was more than one group with the given name.
+ This bug was discovered by the LLVM fuzzer.
+
-
Version 8.37 28-April-2015
--------------------------
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/pcre_compile.c 2015-05-08 16:39:40 UTC (rev 1557)
@@ -6773,7 +6773,7 @@
ptr++;
}
namelen = (int)(ptr - name);
- if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
+ if (lengthptr != NULL) skipbytes += IMM2_SIZE;
}
/* Check the terminator */
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/testdata/testinput2 2015-05-08 16:39:40 UTC (rev 1557)
@@ -4160,4 +4160,10 @@
/\V\x85\9*+((?2)\3++()2)*:2/
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/testdata/testoutput2 2015-05-08 16:39:40 UTC (rev 1557)
@@ -14448,4 +14448,10 @@
/\V\x85\9*+((?2)\3++()2)*:2/
Failed: reference to non-existent subpattern at offset 26
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
/-- End of testinput2 --/