[Pcre-svn] [1558] code/trunk: Fix buffer overflow for named …

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1558] code/trunk: Fix buffer overflow for named recursive back reference when the name is
Revision: 1558
          http://vcs.pcre.org/viewvc?view=rev&revision=1558
Author:   ph10
Date:     2015-05-15 18:17:03 +0100 (Fri, 15 May 2015)
Log Message:
-----------
Fix buffer overflow for named recursive back reference when the name is 
duplicated.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-05-08 16:39:40 UTC (rev 1557)
+++ code/trunk/ChangeLog    2015-05-15 17:17:03 UTC (rev 1558)
@@ -18,6 +18,10 @@
 3.  A repeated conditional group whose condition was a reference by name caused
     a buffer overflow if there was more than one group with the given name.
     This bug was discovered by the LLVM fuzzer.
+    
+4.  A recursive back reference by name within a group that had the same name as
+    another group caused a buffer overflow. For example:
+    /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.



Version 8.37 28-April-2015 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-05-08 16:39:40 UTC (rev 1557)
+++ code/trunk/pcre_compile.c    2015-05-15 17:17:03 UTC (rev 1558)
@@ -7177,14 +7177,26 @@
           number. If the name is not found, set the value to 0 for a forward
           reference. */


+          recno = 0;
           ng = cd->named_groups;
           for (i = 0; i < cd->names_found; i++, ng++)
             {
             if (namelen == ng->length &&
                 STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-              break;
+              {
+              open_capitem *oc;
+              recno = ng->number;
+              if (is_recurse) break;
+              for (oc = cd->open_caps; oc != NULL; oc = oc->next)         
+                {          
+                if (oc->number == recno)                                     
+                  {               
+                  oc->flag = TRUE;                                      
+                  break;
+                  }                                                         
+                }                          
+              }    
             }
-          recno = (i < cd->names_found)? ng->number : 0;


           /* Count named back references. */



Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-05-08 16:39:40 UTC (rev 1557)
+++ code/trunk/testdata/testinput2    2015-05-15 17:17:03 UTC (rev 1558)
@@ -4166,4 +4166,6 @@


/(((?(R)){0,2}) (?''((?'X')((?'R')))))/

+"(?J)(?'d'(?'d'\g{d}))"
+
/-- End of testinput2 --/ 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-05-08 16:39:40 UTC (rev 1557)
+++ code/trunk/testdata/testoutput2    2015-05-15 17:17:03 UTC (rev 1558)
@@ -14454,4 +14454,6 @@


/(((?(R)){0,2}) (?''((?'X')((?'R')))))/

+"(?J)(?'d'(?'d'\g{d}))"
+
/-- End of testinput2 --/
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [265] code/trunk: Fix buffer overflow for recursive byname back reference when duplicate names[Pcre-svn] [266] code/trunk: Fix forward reference by name to duplicate group number bug.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)