[Pcre-svn] [616] code/trunk: Fix OOB error in substitute wit…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [616] code/trunk: Fix OOB error in substitute with start offset longer than length.
Revision: 616
          http://www.exim.org/viewvc/pcre2?view=rev&revision=616
Author:   ph10
Date:     2016-12-09 18:19:38 +0000 (Fri, 09 Dec 2016)
Log Message:
-----------
Fix OOB error in substitute with start offset longer than length.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_substitute.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/ChangeLog    2016-12-09 18:19:38 UTC (rev 616)
@@ -208,7 +208,10 @@
 PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL 
 dereference).


+33. If the starting offset was specified as greater than the subject length in
+a call to pcre2_substitute() an out-of-bounds memory reference could occur.

+
Version 10.22 29-July-2016
-------------------------- 


Modified: code/trunk/src/pcre2_substitute.c
===================================================================
--- code/trunk/src/pcre2_substitute.c    2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/src/pcre2_substitute.c    2016-12-09 18:19:38 UTC (rev 616)
@@ -130,7 +130,7 @@
     ptr += 1;  /* Must point after \ */
     erc = PRIV(check_escape)(&ptr, ptrend, &ch, &errorcode,
       code->overall_options, FALSE, NULL);
-    ptr -= 1;  /* Back to last code unit of escape */ 
+    ptr -= 1;  /* Back to last code unit of escape */
     if (errorcode != 0)
       {
       rc = errorcode;
@@ -289,6 +289,12 @@


/* Copy up to the start offset */

+if (start_offset > length)
+ {
+ match_data->leftchar = 0;
+ rc = PCRE2_ERROR_BADOFFSET;
+ goto EXIT;
+ }
CHECKMEMCPY(subject, start_offset);

/* Loop for global substituting. */ 

Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/testdata/testinput2    2016-12-09 18:19:38 UTC (rev 616)
@@ -4928,4 +4928,7 @@
 /(\x0e00\000000\xc)/replace=\P,substitute_extended
 \x0e00\000000\xc


+//replace=0
+\=offset=7
+
# End of testinput2 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/testdata/testoutput2    2016-12-09 18:19:38 UTC (rev 616)
@@ -15382,6 +15382,10 @@
 \x0e00\000000\xc
 Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string


+//replace=0
+\=offset=7
+Failed: error -33: bad offset value
+
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [615] code/trunk: Fix NULL defer in extended substition for \p, \P, or \X.[Pcre-svn] [617] code/trunk: Fix caseless minimizing back reference bug when heap in use for recursion.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)