Revision: 1619
http://vcs.pcre.org/viewvc?view=rev&revision=1619
Author: ph10
Date: 2015-12-05 16:58:46 +0000 (Sat, 05 Dec 2015)
Log Message:
-----------
Fix (by hacking) another length computation issue.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testoutput11-16
code/trunk/testdata/testoutput11-32
code/trunk/testdata/testoutput11-8
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-12-05 16:30:14 UTC (rev 1618)
+++ code/trunk/ChangeLog 2015-12-05 16:58:46 UTC (rev 1619)
@@ -35,6 +35,11 @@
8. An call of pcre_copy_named_substring() for a named substring whose number
was greater than the space in the ovector could cause a crash.
+
+9. Yet another buffer overflow bug involved duplicate named groups with a
+ group that reset capture numbers (compare 8.38/7 below). Once again, I have
+ just allowed for more memory, even if not needed. (A proper fix is
+ implemented in PCRE2, but it involves a lot of refactoring.)
Version 8.38 23-November-2015
@@ -42,7 +47,7 @@
1. If a group that contained a recursive back reference also contained a
forward reference subroutine call followed by a non-forward-reference
- subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
+ subroutine call, for example /.((?2)(?R)\1)()/, pcre_compile() failed to
compile correct code, leading to undefined behaviour or an internally
detected error. This bug was discovered by the LLVM fuzzer.
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2015-12-05 16:30:14 UTC (rev 1618)
+++ code/trunk/pcre_compile.c 2015-12-05 16:58:46 UTC (rev 1619)
@@ -7280,7 +7280,7 @@
issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
only mode, we finesse the bug by allowing more memory always. */
- *lengthptr += 2 + 2*LINK_SIZE;
+ *lengthptr += 4 + 4*LINK_SIZE;
/* It is even worse than that. The current reference may be to an
existing named group with a different number (so apparently not
Modified: code/trunk/testdata/testoutput11-16
===================================================================
--- code/trunk/testdata/testoutput11-16 2015-12-05 16:30:14 UTC (rev 1618)
+++ code/trunk/testdata/testoutput11-16 2015-12-05 16:58:46 UTC (rev 1619)
@@ -231,7 +231,7 @@
------------------------------------------------------------------
/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 77
+Memory allocation (code space): 93
------------------------------------------------------------------
0 24 Bra
2 5 CBra 1
Modified: code/trunk/testdata/testoutput11-32
===================================================================
--- code/trunk/testdata/testoutput11-32 2015-12-05 16:30:14 UTC (rev 1618)
+++ code/trunk/testdata/testoutput11-32 2015-12-05 16:58:46 UTC (rev 1619)
@@ -231,7 +231,7 @@
------------------------------------------------------------------
/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 157
+Memory allocation (code space): 189
------------------------------------------------------------------
0 24 Bra
2 5 CBra 1
Modified: code/trunk/testdata/testoutput11-8
===================================================================
--- code/trunk/testdata/testoutput11-8 2015-12-05 16:30:14 UTC (rev 1618)
+++ code/trunk/testdata/testoutput11-8 2015-12-05 16:58:46 UTC (rev 1619)
@@ -231,7 +231,7 @@
------------------------------------------------------------------
/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 50
+Memory allocation (code space): 62
------------------------------------------------------------------
0 30 Bra
3 7 CBra 1
