Revision: 1565
http://vcs.pcre.org/viewvc?view=rev&revision=1565
Author: ph10
Date: 2015-06-09 17:46:52 +0100 (Tue, 09 Jun 2015)
Log Message:
-----------
Fix overflow when ovector has size 1.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_exec.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/ChangeLog 2015-06-09 16:46:52 UTC (rev 1565)
@@ -44,6 +44,9 @@
9. The table entry for \l in EBCDIC environments was incorrect, leading to its
being treated as a literal 'l' instead of causing an error.
+
+10. There was a buffer overflow if pcre_exec() was called with an ovector of
+ size 1. This bug was found by american fuzzy lop.
Version 8.37 28-April-2015
Modified: code/trunk/pcre_exec.c
===================================================================
--- code/trunk/pcre_exec.c 2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/pcre_exec.c 2015-06-09 16:46:52 UTC (rev 1565)
@@ -6685,7 +6685,8 @@
register int *iend = iptr - re->top_bracket;
if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
while (--iptr >= iend) *iptr = -1;
- md->offset_vector[0] = md->offset_vector[1] = -1;
+ if (offsetcount > 0) md->offset_vector[0] = -1;
+ if (offsetcount > 1) md->offset_vector[1] = -1;
}
/* Set up the first character to match, if available. The first_char value is
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/testdata/testinput2 2015-06-09 16:46:52 UTC (rev 1565)
@@ -4175,4 +4175,7 @@
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+//
+\O1
+
/-- End of testinput2 --/
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/testdata/testoutput2 2015-06-09 16:46:52 UTC (rev 1565)
@@ -14464,4 +14464,8 @@
/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
Failed: number is too big at offset 32
+//
+\O1
+Matched, but too many substrings
+
/-- End of testinput2 --/