[Pcre-svn] [1637] code/trunk: Fix pcretest loop for global m…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1637] code/trunk: Fix pcretest loop for global matching with an ovector size less than 2.
Revision: 1637
          http://vcs.pcre.org/viewvc?view=rev&revision=1637
Author:   ph10
Date:     2016-02-27 17:55:24 +0000 (Sat, 27 Feb 2016)
Log Message:
-----------
Fix pcretest loop for global matching with an ovector size less than 2.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcretest.c


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2016-02-27 17:38:11 UTC (rev 1636)
+++ code/trunk/ChangeLog    2016-02-27 17:55:24 UTC (rev 1637)
@@ -53,15 +53,19 @@
 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
     nested set of parentheses of sufficient size caused an overflow of the
     compiling workspace (which was diagnosed, but of course is not desirable).
-    
-14. And yet another buffer overflow bug involving duplicate named groups, this 
-    time nested, with a nested back reference. Yet again, I have just allowed 
-    for more memory, because anything more needs all the refactoring that has 
+
+14. And yet another buffer overflow bug involving duplicate named groups, this
+    time nested, with a nested back reference. Yet again, I have just allowed
+    for more memory, because anything more needs all the refactoring that has
     been done for PCRE2. An example pattern that provoked this bug is:
-    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was 
-    registered as CVE-2016-1283. 
+    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was
+    registered as CVE-2016-1283.


+15. pcretest went into a loop if global matching was requested with an ovector
+    size less than 2. It now gives an error message. This bug was found by
+    afl-fuzz.


+
Version 8.38 23-November-2015
----------------------------- 


Modified: code/trunk/pcretest.c
===================================================================
--- code/trunk/pcretest.c    2016-02-27 17:38:11 UTC (rev 1636)
+++ code/trunk/pcretest.c    2016-02-27 17:55:24 UTC (rev 1637)
@@ -5617,6 +5617,12 @@
         break;
         }


+      if (use_size_offsets < 2)
+        {
+        fprintf(outfile, "Cannot do global matching with an ovector size < 2\n");
+        break;
+        }
+
       /* If we have matched an empty string, first check to see if we are at
       the end of the subject. If so, the /g loop is over. Otherwise, mimic what
       Perl's /g options does. This turns out to be rather cunning. First we set

This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [1636] code/trunk: Yet another duplicate name bugfix by overestimating the memory needed ( i.e.[Pcre-svn] [1638] code/trunk: Fix non-diagnosis of missing assertion after (?(?C).->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)