Revision: 1559
http://vcs.pcre.org/viewvc?view=rev&revision=1559
Author: ph10
Date: 2015-05-16 12:05:40 +0100 (Sat, 16 May 2015)
Log Message:
-----------
Fix named forward reference to duplicate group number overflow bug.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput1
code/trunk/testdata/testoutput1
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-05-15 17:17:03 UTC (rev 1558)
+++ code/trunk/ChangeLog 2015-05-16 11:05:40 UTC (rev 1559)
@@ -22,6 +22,11 @@
4. A recursive back reference by name within a group that had the same name as
another group caused a buffer overflow. For example:
/(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
+
+30. A forward reference by name to a group whose number is the same as the
+ current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
+ a buffer overflow at compile time. This bug was discovered by the LLVM
+ fuzzer.
Version 8.37 28-April-2015
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-05-15 17:17:03 UTC (rev 1558)
+++ code/trunk/pcre_compile.c 2015-05-16 11:05:40 UTC (rev 1559)
@@ -7187,15 +7187,15 @@
open_capitem *oc;
recno = ng->number;
if (is_recurse) break;
- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
- {
- if (oc->number == recno)
- {
- oc->flag = TRUE;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+ {
+ if (oc->number == recno)
+ {
+ oc->flag = TRUE;
break;
- }
- }
- }
+ }
+ }
+ }
}
/* Count named back references. */
@@ -7207,6 +7207,14 @@
16-bit data item. */
*lengthptr += IMM2_SIZE;
+
+ /* If this is a forward reference and we are within a (?|...) group,
+ the reference may end up as the number of a group which we are
+ currently inside, that is, it could be a recursive reference. In the
+ real compile this will be picked up and the reference wrapped with
+ OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
}
/* In the real compile, search the name table. We check the name
@@ -7579,7 +7587,7 @@
previous = NULL;
cd->iscondassert = FALSE;
}
- else
+ else
{
previous = code;
item_hwm_offset = cd->hwm - cd->start_workspace;
Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1 2015-05-15 17:17:03 UTC (rev 1558)
+++ code/trunk/testdata/testinput1 2015-05-16 11:05:40 UTC (rev 1559)
@@ -5730,4 +5730,7 @@
"(?1)(?#?'){8}(a)"
baaaaaaaaac
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+
/-- End of testinput1 --/
Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1 2015-05-15 17:17:03 UTC (rev 1558)
+++ code/trunk/testdata/testoutput1 2015-05-16 11:05:40 UTC (rev 1559)
@@ -9429,4 +9429,9 @@
0: aaaaaaaaa
1: a
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+ 0:
+ 1:
+
/-- End of testinput1 --/
