[Pcre-svn] [1571] code/trunk: Fix buffer overflow for forwar…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1571] code/trunk: Fix buffer overflow for forward reference within backward assertion with excess
Revision: 1571
          http://vcs.pcre.org/viewvc?view=rev&revision=1571
Author:   ph10
Date:     2015-06-23 17:34:53 +0100 (Tue, 23 Jun 2015)
Log Message:
-----------
Fix buffer overflow for forward reference within backward assertion with excess 
closing parenthesis. Bugzilla 1651.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2015-06-22 09:38:41 UTC (rev 1570)
+++ code/trunk/ChangeLog    2015-06-23 16:34:53 UTC (rev 1571)
@@ -70,6 +70,10 @@
     within a class.


 17. \h within a class was incorrectly compiled in EBCDIC environments. 
+
+18. A pattern with an unmatched closing parenthesis that contained a backward 
+    assertion which itself contained a forward reference caused buffer 
+    overflow. And example pattern is: /(?=di(?<=(?1))|(?=(.))))/.



Version 8.37 28-April-2015 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2015-06-22 09:38:41 UTC (rev 1570)
+++ code/trunk/pcre_compile.c    2015-06-23 16:34:53 UTC (rev 1571)
@@ -9449,7 +9449,7 @@
 exceptional ones forgo this. We scan the pattern to check that they are fixed
 length, and set their lengths. */


-if (cd->check_lookbehind)
+if (errorcode == 0 && cd->check_lookbehind)
{
pcre_uchar *cc = (pcre_uchar *)codestart; 


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2015-06-22 09:38:41 UTC (rev 1570)
+++ code/trunk/testdata/testinput2    2015-06-23 16:34:53 UTC (rev 1571)
@@ -4180,4 +4180,6 @@


/^(?:(?(1)x|)+)+$()/BZ

+/(?=di(?<=(?1))|(?=(.))))/
+
/-- End of testinput2 --/ 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2015-06-22 09:38:41 UTC (rev 1570)
+++ code/trunk/testdata/testoutput2    2015-06-23 16:34:53 UTC (rev 1571)
@@ -14486,4 +14486,7 @@
         End
 ------------------------------------------------------------------


+/(?=di(?<=(?1))|(?=(.))))/
+Failed: unmatched parentheses at offset 23
+
/-- End of testinput2 --/
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [295] code/trunk: Fix [\h] in EBCDIC environments.[Pcre-svn] [1572] code/trunk/pcre_jit_compile.c: Minor JIT fixes.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)