[Pcre-svn] [266] code/trunk: Fix forward reference by name t…

トップ ページ
このメッセージは次のスレッドの一部です:
M日付によるスレッドの仕分け
 
 
このメッセージを削除
著者: Subversion repository
日付:  
To: pcre-svn
題目: [Pcre-svn] [266] code/trunk: Fix forward reference by name to duplicate group number bug.
Revision: 266
          http://www.exim.org/viewvc/pcre2?view=rev&revision=266
Author:   ph10
Date:     2015-05-16 12:01:48 +0100 (Sat, 16 May 2015)
Log Message:
-----------
Fix forward reference by name to duplicate group number bug.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput1
    code/trunk/testdata/testoutput1


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/ChangeLog    2015-05-16 11:01:48 UTC (rev 266)
@@ -119,7 +119,11 @@
 another group caused a buffer overflow. For example: /(?J)(?'d'(?'d'\g{d}))/.
 This bug was discovered by the LLVM fuzzer.


+30. A forward reference by name to a group whose number is the same as the
+current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused a
+buffer overflow at compile time. This bug was discovered by the LLVM fuzzer.

+
Version 10.10 06-March-2015
--------------------------- 


Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/src/pcre2_compile.c    2015-05-16 11:01:48 UTC (rev 266)
@@ -5984,6 +5984,14 @@
           not be set at the point of reference. */


           *lengthptr += IMM2_SIZE;
+          
+          /* If this is a forward reference and we are within a (?|...) group,
+          the reference may end up as the number of a group which we are 
+          currently inside, that is, it could be a recursive reference. In the 
+          real compile this will be picked up and the reference wrapped with 
+          OP_ONCE to make it atomic, so we must space in case this occurs. */ 
+          
+          if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
           }


         /* In the real compile, search the name table. We check the name


Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1    2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/testdata/testinput1    2015-05-16 11:01:48 UTC (rev 266)
@@ -5724,4 +5724,7 @@
 /(?1)()((((((\1++))\x85)+)|))/
     \x85\x85


+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+
 # End of testinput1 


Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1    2015-05-15 17:09:01 UTC (rev 265)
+++ code/trunk/testdata/testoutput1    2015-05-16 11:01:48 UTC (rev 266)
@@ -9458,4 +9458,9 @@
  6: 
  7: 


+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+ 0: 
+ 1: 
+
 # End of testinput1

このメッセージは次のメーリングリストに投稿されました:
Pcre-svn
メーリングリスト情報 | となりのメッセージ		<-[Pcre-svn] [1558] code/trunk: Fix buffer overflow for named recursive back reference when the name is[Pcre-svn] [1559] code/trunk: Fix named forward reference to duplicate group number overflow bug.->
Tahini and Hummus and Cumin Development Archives サイト管理人: cumin AdminsLurker (バージョン 2.3)