[Pcre-svn] [1565] code/trunk: Fix overflow when ovector has …

Revision: 1565

          http://vcs.pcre.org/viewvc?view=rev&revision=1565
Author:   ph10
Date:     2015-06-09 17:46:52 +0100 (Tue, 09 Jun 2015)
Log Message:
-----------
Fix overflow when ovector has size 1.

Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_exec.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2

Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/ChangeLog    2015-06-09 16:46:52 UTC (rev 1565)
@@ -44,6 +44,9 @@

 9.  The table entry for \l in EBCDIC environments was incorrect, leading to its
     being treated as a literal 'l' instead of causing an error. 
+    
+10. There was a buffer overflow if pcre_exec() was called with an ovector of 
+    size 1. This bug was found by american fuzzy lop.

Version 8.37 28-April-2015

Modified: code/trunk/pcre_exec.c
===================================================================
--- code/trunk/pcre_exec.c    2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/pcre_exec.c    2015-06-09 16:46:52 UTC (rev 1565)
@@ -6685,7 +6685,8 @@
   register int *iend = iptr - re->top_bracket;
   if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
   while (--iptr >= iend) *iptr = -1;
-  md->offset_vector[0] = md->offset_vector[1] = -1;
+  if (offsetcount > 0) md->offset_vector[0] = -1;
+  if (offsetcount > 1) md->offset_vector[1] = -1;
   }

/* Set up the first character to match, if available. The first_char value is

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/testdata/testinput2    2015-06-09 16:46:52 UTC (rev 1565)
@@ -4175,4 +4175,7 @@

/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/

+//
+\O1
+
/-- End of testinput2 --/

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-06-09 16:33:27 UTC (rev 1564)
+++ code/trunk/testdata/testoutput2    2015-06-09 16:46:52 UTC (rev 1565)
@@ -14464,4 +14464,8 @@
 /(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
 Failed: number is too big at offset 32

+//
+\O1
+Matched, but too many substrings
+
/-- End of testinput2 --/