Revision: 337
http://www.exim.org/viewvc/pcre2?view=rev&revision=337
Author: zherczeg
Date: 2015-08-08 06:45:17 +0100 (Sat, 08 Aug 2015)
Log Message:
-----------
The JIT compiler did not restore the control verb head in case of *THEN control verbs.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_jit_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-08-05 17:35:36 UTC (rev 336)
+++ code/trunk/ChangeLog 2015-08-08 05:45:17 UTC (rev 337)
@@ -108,7 +108,10 @@
28. If pcre2grep was given the -q option with -c or -l, or when handling a
binary file, it incorrectly wrote output to stdout.
+29. The JIT compiler did not restore the control verb head in case of *THEN
+control verbs. This issue was found by Karl Skomski with a custom LLVM fuzzer.
+
Version 10.20 30-June-2015
--------------------------
Modified: code/trunk/src/pcre2_jit_compile.c
===================================================================
--- code/trunk/src/pcre2_jit_compile.c 2015-08-05 17:35:36 UTC (rev 336)
+++ code/trunk/src/pcre2_jit_compile.c 2015-08-08 05:45:17 UTC (rev 337)
@@ -1472,6 +1472,13 @@
cc += 1 + LINK_SIZE + IMM2_SIZE;
break;
+ case OP_THEN:
+ stack_restore = TRUE;
+ if (common->control_head_ptr != 0)
+ *needs_control_head = TRUE;
+ cc ++;
+ break;
+
default:
stack_restore = TRUE;
/* Fall through. */
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2015-08-05 17:35:36 UTC (rev 336)
+++ code/trunk/testdata/testinput2 2015-08-08 05:45:17 UTC (rev 337)
@@ -4412,4 +4412,7 @@
/((?(R8000000000)))/
+/0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/
+ 01
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2015-08-05 17:35:36 UTC (rev 336)
+++ code/trunk/testdata/testoutput2 2015-08-08 05:45:17 UTC (rev 337)
@@ -14667,4 +14667,8 @@
/((?(R8000000000)))/
Failed: error 161 at offset 16: number is too big
+/0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/
+ 01
+No match
+
# End of testinput2