Revision: 321
http://www.exim.org/viewvc/pcre2?view=rev&revision=321
Author: ph10
Date: 2015-07-21 15:03:08 +0100 (Tue, 21 Jul 2015)
Log Message:
-----------
Fix not diagnosis of missing ) for callout with string argument.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput5
code/trunk/testdata/testoutput5
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-07-21 13:42:14 UTC (rev 320)
+++ code/trunk/ChangeLog 2015-07-21 14:03:08 UTC (rev 321)
@@ -62,6 +62,9 @@
pcre2_compile() to run for a very long time. This bug was found by the LLVM
fuzzer.
+17. A missing closing parenthesis for a callout with a string argument was not
+being diagnosed, possibly leading to a buffer overflow. This bug was found by
+the LLVM fuzzer.
Version 10.20 30-June-2015
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2015-07-21 13:42:14 UTC (rev 320)
+++ code/trunk/src/pcre2_compile.c 2015-07-21 14:03:08 UTC (rev 321)
@@ -3277,46 +3277,51 @@
if (IS_DIGIT(ptr[1]))
{
while (IS_DIGIT(ptr[1])) ptr++;
- if (ptr[1] != CHAR_RIGHT_PARENTHESIS)
- {
- errorcode = ERR39;
- ptr++;
- goto FAILED;
- }
- break;
}
/* Handle a string argument */
- ptr++;
- delimiter = 0;
- for (i = 0; PRIV(callout_start_delims)[i] != 0; i++)
- {
- if (*ptr == PRIV(callout_start_delims)[i])
+ else
+ {
+ ptr++;
+ delimiter = 0;
+ for (i = 0; PRIV(callout_start_delims)[i] != 0; i++)
{
- delimiter = PRIV(callout_end_delims)[i];
- break;
+ if (*ptr == PRIV(callout_start_delims)[i])
+ {
+ delimiter = PRIV(callout_end_delims)[i];
+ break;
+ }
}
- }
+
+ if (delimiter == 0)
+ {
+ errorcode = ERR82;
+ goto FAILED;
+ }
+
+ start = ptr;
+ do
+ {
+ if (++ptr >= cb->end_pattern)
+ {
+ errorcode = ERR81;
+ ptr = start; /* To give a more useful message */
+ goto FAILED;
+ }
+ if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2;
+ }
+ while (ptr[0] != delimiter);
+ }
+
+ /* Check terminating ) */
- if (delimiter == 0)
+ if (ptr[1] != CHAR_RIGHT_PARENTHESIS)
{
- errorcode = ERR82;
+ errorcode = ERR39;
+ ptr++;
goto FAILED;
}
-
- start = ptr;
- do
- {
- if (++ptr >= cb->end_pattern)
- {
- errorcode = ERR81;
- ptr = start; /* To give a more useful message */
- goto FAILED;
- }
- if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2;
- }
- while (ptr[0] != delimiter);
break;
case CHAR_LEFT_PARENTHESIS:
Modified: code/trunk/testdata/testinput5
===================================================================
--- code/trunk/testdata/testinput5 2015-07-21 13:42:14 UTC (rev 320)
+++ code/trunk/testdata/testinput5 2015-07-21 14:03:08 UTC (rev 321)
@@ -1653,4 +1653,6 @@
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
+"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'"
+
# End of testinput5
Modified: code/trunk/testdata/testoutput5
===================================================================
--- code/trunk/testdata/testoutput5 2015-07-21 13:42:14 UTC (rev 320)
+++ code/trunk/testdata/testoutput5 2015-07-21 14:03:08 UTC (rev 321)
@@ -4052,4 +4052,7 @@
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
+"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'"
+Failed: error 139 at offset 113: closing parenthesis for (?C expected
+
# End of testinput5
