[Pcre-svn] [1562] code/trunk: Fix another buffer overflow.

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1562] code/trunk: Fix another buffer overflow.
Revision: 1562
          http://vcs.pcre.org/viewvc?view=rev&revision=1562
Author:   ph10
Date:     2015-06-03 17:51:59 +0100 (Wed, 03 Jun 2015)
Log Message:
-----------
Fix another buffer overflow.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput11-16
    code/trunk/testdata/testoutput11-32
    code/trunk/testdata/testoutput11-8
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/ChangeLog    2015-06-03 16:51:59 UTC (rev 1562)
@@ -1,6 +1,9 @@
 ChangeLog for PCRE
 ------------------


+Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
+development is happening in the PCRE2 10.xx series.
+
Version 8.38 xx-xxx-xxxx
------------------------

@@ -30,6 +33,12 @@ 

 6.  A lookbehind assertion within a set of mutually recursive subpatterns could
     provoke a buffer overflow. This bug was discovered by the LLVM fuzzer.
+    
+7.  Another buffer overflow bug involved duplicate named groups with a 
+    reference between their definition, with a group that reset capture 
+    numbers, for example: /(?J:(?|(?'R')(\k'R')|((?'R'))))/. This has been 
+    fixed by always allowing for more memory, even if not needed. (A proper fix 
+    is implemented in PCRE2, but it involves more refactoring.)



Version 8.37 28-April-2015 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/pcre_compile.c    2015-06-03 16:51:59 UTC (rev 1562)
@@ -7214,7 +7214,12 @@
           real compile this will be picked up and the reference wrapped with
           OP_ONCE to make it atomic, so we must space in case this occurs. */


-          if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
+          /* In fact, this can happen for a non-forward reference because
+          another group with the same number might be created later. This
+          issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
+          only mode, we finesse the bug by allowing more memory always. */
+
+          /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
           }


         /* In the real compile, search the name table. We check the name


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/testdata/testinput2    2015-06-03 16:51:59 UTC (rev 1562)
@@ -4171,4 +4171,6 @@
 ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
 \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"


+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+
/-- End of testinput2 --/ 

Modified: code/trunk/testdata/testoutput11-16
===================================================================
--- code/trunk/testdata/testoutput11-16    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/testdata/testoutput11-16    2015-06-03 16:51:59 UTC (rev 1562)
@@ -231,7 +231,7 @@
 ------------------------------------------------------------------


/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 61
+Memory allocation (code space): 77
------------------------------------------------------------------
0 24 Bra
2 5 CBra 1 

Modified: code/trunk/testdata/testoutput11-32
===================================================================
--- code/trunk/testdata/testoutput11-32    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/testdata/testoutput11-32    2015-06-03 16:51:59 UTC (rev 1562)
@@ -231,7 +231,7 @@
 ------------------------------------------------------------------


/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 125
+Memory allocation (code space): 157
------------------------------------------------------------------
0 24 Bra
2 5 CBra 1 

Modified: code/trunk/testdata/testoutput11-8
===================================================================
--- code/trunk/testdata/testoutput11-8    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/testdata/testoutput11-8    2015-06-03 16:51:59 UTC (rev 1562)
@@ -231,7 +231,7 @@
 ------------------------------------------------------------------


/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 38
+Memory allocation (code space): 50
------------------------------------------------------------------
0 30 Bra
3 7 CBra 1 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-05-29 12:50:38 UTC (rev 1561)
+++ code/trunk/testdata/testoutput2    2015-06-03 16:51:59 UTC (rev 1562)
@@ -14459,4 +14459,6 @@
 ".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
 \H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"


+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+
/-- End of testinput2 --/
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [278] code/trunk: Refactor named group handling by adding a pre-pass that generates a list of[Pcre-svn] [279] code/trunk/maint/ManyConfigTests: Re-instate --enable-debug test.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)