Revision: 266
http://www.exim.org/viewvc/pcre2?view=rev&revision=266
Author: ph10
Date: 2015-05-16 12:01:48 +0100 (Sat, 16 May 2015)
Log Message:
-----------
Fix forward reference by name to duplicate group number bug.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput1
code/trunk/testdata/testoutput1
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/ChangeLog 2015-05-16 11:01:48 UTC (rev 266)
@@ -119,7 +119,11 @@
another group caused a buffer overflow. For example: /(?J)(?'d'(?'d'\g{d}))/.
This bug was discovered by the LLVM fuzzer.
+30. A forward reference by name to a group whose number is the same as the
+current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused a
+buffer overflow at compile time. This bug was discovered by the LLVM fuzzer.
+
Version 10.10 06-March-2015
---------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/src/pcre2_compile.c 2015-05-16 11:01:48 UTC (rev 266)
@@ -5984,6 +5984,14 @@
not be set at the point of reference. */
*lengthptr += IMM2_SIZE;
+
+ /* If this is a forward reference and we are within a (?|...) group,
+ the reference may end up as the number of a group which we are
+ currently inside, that is, it could be a recursive reference. In the
+ real compile this will be picked up and the reference wrapped with
+ OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
}
/* In the real compile, search the name table. We check the name
Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1 2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/testdata/testinput1 2015-05-16 11:01:48 UTC (rev 266)
@@ -5724,4 +5724,7 @@
/(?1)()((((((\1++))\x85)+)|))/
\x85\x85
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+
# End of testinput1
Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1 2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/testdata/testoutput1 2015-05-16 11:01:48 UTC (rev 266)
@@ -9458,4 +9458,9 @@
6:
7:
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+ 0:
+ 1:
+
# End of testinput1