Revision: 595
http://www.exim.org/viewvc/pcre2?view=rev&revision=595
Author: ph10
Date: 2016-11-04 11:05:21 +0000 (Fri, 04 Nov 2016)
Log Message:
-----------
Fix overrun for unterminated number after \g'
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-11-04 10:53:43 UTC (rev 594)
+++ code/trunk/ChangeLog 2016-11-04 11:05:21 UTC (rev 595)
@@ -48,7 +48,10 @@
given only for a callout at the end of the pattern. Automatic callouts are no
longer inserted before and after explicit callouts in the pattern.
-Some bugs in the refactored code were subsequently fixed before release:
+Some bugs in the refactored code were subsequently fixed before release.
+Several of them were related to the change from assuming a zero-terminated
+pattern (which previously had required non-zero terminated strings to be
+copied).
(a) An overall recursion such as (?0) inside a lookbehind assertion was not
being diagnosed as an error.
@@ -74,6 +77,8 @@
(g) When reading a callout string, if the end delimiter was at the end of the
pattern one further code unit was read.
+
+ (h) An unterminated number after \g' could cause reading beyond the pattern.
4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2016-11-04 10:53:43 UTC (rev 594)
+++ code/trunk/src/pcre2_compile.c 2016-11-04 11:05:21 UTC (rev 595)
@@ -2577,7 +2577,7 @@
if (read_number(&p, ptrend, cb->bracount, MAX_GROUP_NUMBER, ERR61, &i,
&errorcode))
{
- if (*p != terminator)
+ if (p >= ptrend || *p != terminator)
{
errorcode = ERR57;
goto FAILED;
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2016-11-04 10:53:43 UTC (rev 594)
+++ code/trunk/testdata/testinput2 2016-11-04 11:05:21 UTC (rev 595)
@@ -4900,8 +4900,10 @@
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
-# /hex uses length, not zero-terminate
+/{2,2{2,2/use_length
-/'{2,2{2,2'/hex
+/.>*?\g'0/use_length
+/.>*?\g'0/
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2016-11-04 10:53:43 UTC (rev 594)
+++ code/trunk/testdata/testoutput2 2016-11-04 11:05:21 UTC (rev 595)
@@ -15345,10 +15345,14 @@
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
-# /hex uses length, not zero-terminate
+/{2,2{2,2/use_length
-/'{2,2{2,2'/hex
+/.>*?\g'0/use_length
+Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
+/.>*?\g'0/
+Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
+
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data