[Pcre-svn] [1557] code/trunk: Fix buffer overflow for repeat…

Revision: 1557

          http://vcs.pcre.org/viewvc?view=rev&revision=1557
Author:   ph10
Date:     2015-05-08 17:39:40 +0100 (Fri, 08 May 2015)
Log Message:
-----------
Fix buffer overflow for repeated conditional when referencing a duplicate name.

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2

Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/ChangeLog    2015-05-08 16:39:40 UTC (rev 1557)
@@ -14,8 +14,12 @@
     incorrect code to be compiled when recursive forward references were
     involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
     This bug was discovered by the LLVM fuzzer.
+    
+3.  A repeated conditional group whose condition was a reference by name caused
+    a buffer overflow if there was more than one group with the given name.
+    This bug was discovered by the LLVM fuzzer.
+ 

-
Version 8.37 28-April-2015
--------------------------

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/pcre_compile.c    2015-05-08 16:39:40 UTC (rev 1557)
@@ -6773,7 +6773,7 @@
             ptr++;
             }
           namelen = (int)(ptr - name);
-          if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
+          if (lengthptr != NULL) skipbytes += IMM2_SIZE;
           }

         /* Check the terminator */

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/testdata/testinput2    2015-05-08 16:39:40 UTC (rev 1557)
@@ -4160,4 +4160,10 @@

/\V\x85\9*+((?2)\3++()2)*:2/

+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
/-- End of testinput2 --/

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-05-07 16:31:58 UTC (rev 1556)
+++ code/trunk/testdata/testoutput2    2015-05-08 16:39:40 UTC (rev 1557)
@@ -14448,4 +14448,10 @@
 /\V\x85\9*+((?2)\3++()2)*:2/
 Failed: reference to non-existent subpattern at offset 26

+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
/-- End of testinput2 --/