[Pcre-svn] [596] code/trunk: Fix bad working space size calc…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [596] code/trunk: Fix bad working space size calculation when PCRE2_AUTO_CALLOUT is set.
Revision: 596
          http://www.exim.org/viewvc/pcre2?view=rev&revision=596
Author:   ph10
Date:     2016-11-04 16:35:47 +0000 (Fri, 04 Nov 2016)
Log Message:
-----------
Fix bad working space size calculation when PCRE2_AUTO_CALLOUT is set.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/src/pcre2_error.c
    code/trunk/src/pcre2_fuzzsupport.c
    code/trunk/src/pcre2_intmodedep.h


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2016-11-04 11:05:21 UTC (rev 595)
+++ code/trunk/ChangeLog    2016-11-04 16:35:47 UTC (rev 596)
@@ -79,6 +79,9 @@
       pattern one further code unit was read.


   (h) An unterminated number after \g' could cause reading beyond the pattern. 
+  
+  (i) An insufficient memory size was being computed for compiling with 
+      PCRE2_AUTO_CALLOUT.


4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the 

Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2016-11-04 11:05:21 UTC (rev 595)
+++ code/trunk/src/pcre2_compile.c    2016-11-04 16:35:47 UTC (rev 596)
@@ -2146,6 +2146,7 @@
 uint32_t *verblengthptr = NULL;     /* Value avoids compiler warning */
 uint32_t *previous_callout = NULL;
 uint32_t *parsed_pattern = cb->parsed_pattern;
+uint32_t *parsed_pattern_end = cb->parsed_pattern_end;
 uint32_t meta_quantifier = 0;
 uint16_t nest_depth = 0;
 int after_manual_callout = 0;
@@ -2188,6 +2189,12 @@
   PCRE2_SPTR tempptr;
   PCRE2_SPTR thisptr;
   PCRE2_SIZE offset;
+  
+  if (parsed_pattern >= parsed_pattern_end)
+    {
+    errorcode = ERR63;  /* Internal error (parsed pattern overflow) */
+    goto FAILED; 
+    }   


   if (nest_depth > cb->cx->parens_nest_limit)
     {
@@ -9158,7 +9165,7 @@


parsed_size_needed = patlen - skipatstart + big32count;
if ((options & PCRE2_AUTO_CALLOUT) != 0)
- parsed_size_needed = (parsed_size_needed + 1) * 4;
+ parsed_size_needed = (parsed_size_needed + 1) * 5; 

 if (parsed_size_needed >= PARSED_PATTERN_DEFAULT_SIZE)
   {
@@ -9171,7 +9178,8 @@
     }
   cb.parsed_pattern = heap_parsed_pattern;
   }
-
+cb.parsed_pattern_end = cb.parsed_pattern + parsed_size_needed + 1; 
+  
 /* Do the parsing scan. */


errorcode = parse_regex(ptr, cb.external_options, &has_lookbehind, &cb); 

Modified: code/trunk/src/pcre2_error.c
===================================================================
--- code/trunk/src/pcre2_error.c    2016-11-04 11:05:21 UTC (rev 595)
+++ code/trunk/src/pcre2_error.c    2016-11-04 16:35:47 UTC (rev 596)
@@ -138,7 +138,7 @@
   "(*VERB) not recognized or malformed\0"
   "group number is too big\0"
   "subpattern name expected\0"
-  "SPARE ERROR\0"
+  "internal error: parsed pattern overflow\0"
   "non-octal character in \\o{} (closing brace missing?)\0"
   /* 65 */
   "different names for subpatterns of the same number are not allowed\0"


Modified: code/trunk/src/pcre2_fuzzsupport.c
===================================================================
--- code/trunk/src/pcre2_fuzzsupport.c    2016-11-04 11:05:21 UTC (rev 595)
+++ code/trunk/src/pcre2_fuzzsupport.c    2016-11-04 16:35:47 UTC (rev 596)
@@ -65,11 +65,11 @@
 \C in random patterns is highly likely to cause a crash.  */


compile_options =
- ((uint32_t)((r1 << 16) | (r2 & 0xffff)) & ALLOWED_COMPILE_OPTIONS) |
+ ((((uint32_t)r1 << 16) | ((uint32_t)r2 & 0xffff)) & ALLOWED_COMPILE_OPTIONS) |
PCRE2_NEVER_BACKSLASH_C;

match_options =
- ((uint32_t)((r1 << 16) | (r2 & 0xffff)) & ALLOWED_MATCH_OPTIONS);
+ ((((uint32_t)r1 << 16) | ((uint32_t)r2 & 0xffff)) & ALLOWED_MATCH_OPTIONS);

/* Do the compile with and without the options, and after a successful compile,
likewise do the match with and without the options. */ 

Modified: code/trunk/src/pcre2_intmodedep.h
===================================================================
--- code/trunk/src/pcre2_intmodedep.h    2016-11-04 11:05:21 UTC (rev 595)
+++ code/trunk/src/pcre2_intmodedep.h    2016-11-04 16:35:47 UTC (rev 596)
@@ -713,6 +713,7 @@
   uint32_t bracount;               /* Count of capturing parentheses */
   uint32_t lastcapture;            /* Last capture encountered */ 
   uint32_t *parsed_pattern;        /* Parsed pattern buffer */ 
+  uint32_t *parsed_pattern_end;    /* Parsed pattern should not get here */ 
   uint32_t *groupinfo;             /* Group info vector */
   uint32_t top_backref;            /* Maximum back reference */
   uint32_t backref_map;            /* Bitmap of low back refs */

This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [595] code/trunk: Fix overrun for unterminated number after \g'[Pcre-svn] [597] code/trunk/testdata: Test update.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)