Revision: 1560
http://vcs.pcre.org/viewvc?view=rev&revision=1560
Author: ph10
Date: 2015-05-19 17:02:06 +0100 (Tue, 19 May 2015)
Log Message:
-----------
Fix buffer overflow for lookbehind within mutually recursive subroutines.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/ChangeLog 2015-05-19 16:02:06 UTC (rev 1560)
@@ -23,10 +23,13 @@
another group caused a buffer overflow. For example:
/(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
-30. A forward reference by name to a group whose number is the same as the
+5. A forward reference by name to a group whose number is the same as the
current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
a buffer overflow at compile time. This bug was discovered by the LLVM
fuzzer.
+
+6. A lookbehind assertion within a set of mutually recursive subpatterns could
+ provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
Version 8.37 28-April-2015
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/pcre_compile.c 2015-05-19 16:02:06 UTC (rev 1560)
@@ -1799,7 +1799,7 @@
case OP_ASSERTBACK:
case OP_ASSERTBACK_NOT:
do cc += GET(cc, 1); while (*cc == OP_ALT);
- cc += PRIV(OP_lengths)[*cc];
+ cc += 1 + LINK_SIZE;
break;
/* Skip over things that don't match chars */
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/testdata/testinput2 2015-05-19 16:02:06 UTC (rev 1560)
@@ -4168,4 +4168,7 @@
"(?J)(?'d'(?'d'\g{d}))"
+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/testdata/testoutput2 2015-05-19 16:02:06 UTC (rev 1560)
@@ -14456,4 +14456,7 @@
"(?J)(?'d'(?'d'\g{d}))"
+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
/-- End of testinput2 --/