[Pcre-svn] [1560] code/trunk: Fix buffer overflow for lookbe…

Revision: 1560

          http://vcs.pcre.org/viewvc?view=rev&revision=1560
Author:   ph10
Date:     2015-05-19 17:02:06 +0100 (Tue, 19 May 2015)
Log Message:
-----------
Fix buffer overflow for lookbehind within mutually recursive subroutines.

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2

Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/ChangeLog    2015-05-19 16:02:06 UTC (rev 1560)
@@ -23,10 +23,13 @@
     another group caused a buffer overflow. For example:
     /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.

-30. A forward reference by name to a group whose number is the same as the
+5.  A forward reference by name to a group whose number is the same as the
     current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused
     a buffer overflow at compile time. This bug was discovered by the LLVM
     fuzzer.
+    
+6.  A lookbehind assertion within a set of mutually recursive subpatterns could
+    provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.

Version 8.37 28-April-2015

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/pcre_compile.c    2015-05-19 16:02:06 UTC (rev 1560)
@@ -1799,7 +1799,7 @@
     case OP_ASSERTBACK:
     case OP_ASSERTBACK_NOT:
     do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += PRIV(OP_lengths)[*cc];
+    cc += 1 + LINK_SIZE;
     break;

     /* Skip over things that don't match chars */

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/testdata/testinput2    2015-05-19 16:02:06 UTC (rev 1560)
@@ -4168,4 +4168,7 @@

"(?J)(?'d'(?'d'\g{d}))"

+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
/-- End of testinput2 --/

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-05-16 11:05:40 UTC (rev 1559)
+++ code/trunk/testdata/testoutput2    2015-05-19 16:02:06 UTC (rev 1560)
@@ -14456,4 +14456,7 @@

"(?J)(?'d'(?'d'\g{d}))"

+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
/-- End of testinput2 --/