Revision: 586
http://www.exim.org/viewvc/pcre2?view=rev&revision=586
Author: ph10
Date: 2016-11-01 12:12:45 +0000 (Tue, 01 Nov 2016)
Log Message:
-----------
Fix read beyond unterminated quantifier at end of pattern.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-11-01 11:56:07 UTC (rev 585)
+++ code/trunk/ChangeLog 2016-11-01 12:12:45 UTC (rev 586)
@@ -31,7 +31,12 @@
group whose name began with "R".
(f) The amount of memory needed for a compiled pattern was miscalculated if a
lookbehind contained more than one toplevel branch and the first branch
- was of length zero.
+ was of length zero.
+ (g) In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
+ terminated pattern, if a # comment ran on to the end of the pattern, one
+ or more code units past the end were being read.
+ (h) An unterminated repeat at the end of a non-zero-terminated pattern (e.g.
+ "{2,2") could cause reading beyond the pattern.
One effect of the refactoring is that some error numbers and messages have
changed, and the pattern offset given for compiling errors is not always the
@@ -117,11 +122,7 @@
compiled. A non-installed binary to run the test function locally, called
pcre2fuzzcheck is also compiled.
-18. In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
-terminated pattern, if a # comment ran on to the end of the pattern, one or
-more code units past the end were being read.
-
Version 10.22 29-July-2016
--------------------------
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2016-11-01 11:56:07 UTC (rev 585)
+++ code/trunk/src/pcre2_compile.c 2016-11-01 12:12:45 UTC (rev 586)
@@ -1187,7 +1187,7 @@
PCRE2_SPTR p = *ptrptr;
BOOL yield = FALSE;
int32_t min = 0;
-int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPAT_COUNT */
+int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */
/* NB read_number() initializes the error code to zero. The only error is for a
number that is too big. */
@@ -1209,7 +1209,7 @@
if (*p != CHAR_RIGHT_CURLY_BRACKET)
{
if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max,
- errorcodeptr) || *p != CHAR_RIGHT_CURLY_BRACKET)
+ errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET)
goto EXIT;
if (max < min)
{
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2016-11-01 11:56:07 UTC (rev 585)
+++ code/trunk/testdata/testinput2 2016-11-01 12:12:45 UTC (rev 586)
@@ -4900,4 +4900,8 @@
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
+# /hex uses length, not zero-terminate
+
+/'{2,2{2,2'/hex
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2016-11-01 11:56:07 UTC (rev 585)
+++ code/trunk/testdata/testoutput2 2016-11-01 12:12:45 UTC (rev 586)
@@ -15345,6 +15345,10 @@
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
+# /hex uses length, not zero-terminate
+
+/'{2,2{2,2'/hex
+
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data
