Revision: 622
http://www.exim.org/viewvc/pcre2?view=rev&revision=622
Author: ph10
Date: 2016-12-21 17:09:11 +0000 (Wed, 21 Dec 2016)
Log Message:
-----------
Fix name table sort buffer overflow.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_compile.c
code/trunk/testdata/testinput1
code/trunk/testdata/testoutput1
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-12-20 17:10:30 UTC (rev 621)
+++ code/trunk/ChangeLog 2016-12-21 17:09:11 UTC (rev 622)
@@ -48,11 +48,12 @@
given only for a callout at the end of the pattern. Automatic callouts are no
longer inserted before and after explicit callouts in the pattern.
-Some bugs in the refactored code were subsequently fixed before release.
-Several of them were related to the change from assuming a zero-terminated
-pattern (which previously had required non-zero terminated strings to be
-copied). These bugs were never in released code, but are noted here for the
-record, once the code was made available in the repository.
+A number of bugs in the refactored code were subsequently fixed before release,
+but after the code was made available in the repository. Many of the bugs were
+discovered by fuzzing testing. Several of them were related to the change from
+assuming a zero-terminated pattern (which previously had required non-zero
+terminated strings to be copied). These bugs were never in released code, but
+are noted here for the record.
(a) An overall recursion such as (?0) inside a lookbehind assertion was not
being diagnosed as an error.
@@ -106,6 +107,9 @@
followed by '?' or '+', and there was at least one literal character
between them, an internal error "unexpected repeat" occurred (example:
/.+\QX\E+/).
+
+ (p) A buffer overflow could occur while sorting the names in the group name
+ list (depending on the order in which the names were seen).
4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the
Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c 2016-12-20 17:10:30 UTC (rev 621)
+++ code/trunk/src/pcre2_compile.c 2016-12-21 17:09:11 UTC (rev 622)
@@ -8273,7 +8273,7 @@
if (crc < 0)
{
memmove(slot + cb->name_entry_size, slot,
- CU2BYTES((cb->names_found - i) * cb->name_entry_size));
+ CU2BYTES((tablecount - i) * cb->name_entry_size));
break;
}
Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1 2016-12-20 17:10:30 UTC (rev 621)
+++ code/trunk/testdata/testinput1 2016-12-21 17:09:11 UTC (rev 622)
@@ -5818,4 +5818,6 @@
/(Z)(a)\2{1,2}?(?-i)\1X/i
ZaAAZX
+/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
+
# End of testinput1
Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1 2016-12-20 17:10:30 UTC (rev 621)
+++ code/trunk/testdata/testoutput1 2016-12-21 17:09:11 UTC (rev 622)
@@ -9295,4 +9295,6 @@
1: Z
2: a
+/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
+
# End of testinput1
