Revision: 616
http://www.exim.org/viewvc/pcre2?view=rev&revision=616
Author: ph10
Date: 2016-12-09 18:19:38 +0000 (Fri, 09 Dec 2016)
Log Message:
-----------
Fix OOB error in substitute with start offset longer than length.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_substitute.c
code/trunk/testdata/testinput2
code/trunk/testdata/testoutput2
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/ChangeLog 2016-12-09 18:19:38 UTC (rev 616)
@@ -208,7 +208,10 @@
PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL
dereference).
+33. If the starting offset was specified as greater than the subject length in
+a call to pcre2_substitute() an out-of-bounds memory reference could occur.
+
Version 10.22 29-July-2016
--------------------------
Modified: code/trunk/src/pcre2_substitute.c
===================================================================
--- code/trunk/src/pcre2_substitute.c 2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/src/pcre2_substitute.c 2016-12-09 18:19:38 UTC (rev 616)
@@ -130,7 +130,7 @@
ptr += 1; /* Must point after \ */
erc = PRIV(check_escape)(&ptr, ptrend, &ch, &errorcode,
code->overall_options, FALSE, NULL);
- ptr -= 1; /* Back to last code unit of escape */
+ ptr -= 1; /* Back to last code unit of escape */
if (errorcode != 0)
{
rc = errorcode;
@@ -289,6 +289,12 @@
/* Copy up to the start offset */
+if (start_offset > length)
+ {
+ match_data->leftchar = 0;
+ rc = PCRE2_ERROR_BADOFFSET;
+ goto EXIT;
+ }
CHECKMEMCPY(subject, start_offset);
/* Loop for global substituting. */
Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2 2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/testdata/testinput2 2016-12-09 18:19:38 UTC (rev 616)
@@ -4928,4 +4928,7 @@
/(\x0e00\000000\xc)/replace=\P,substitute_extended
\x0e00\000000\xc
+//replace=0
+\=offset=7
+
# End of testinput2
Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2 2016-12-09 16:57:51 UTC (rev 615)
+++ code/trunk/testdata/testoutput2 2016-12-09 18:19:38 UTC (rev 616)
@@ -15382,6 +15382,10 @@
\x0e00\000000\xc
Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string
+//replace=0
+\=offset=7
+Failed: error -33: bad offset value
+
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data