[Pcre-svn] [779] code/trunk/src: A better fix for oss-fuzz 1…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [779] code/trunk/src: A better fix for oss-fuzz 1465.
Revision: 779
          http://www.exim.org/viewvc/pcre2?view=rev&revision=779
Author:   ph10
Date:     2017-05-11 17:28:54 +0100 (Thu, 11 May 2017)
Log Message:
-----------
A better fix for oss-fuzz 1465.


Modified Paths:
--------------
    code/trunk/src/pcre2_intmodedep.h
    code/trunk/src/pcre2_match.c
    code/trunk/src/pcre2_pattern_info.c


Modified: code/trunk/src/pcre2_intmodedep.h
===================================================================
--- code/trunk/src/pcre2_intmodedep.h    2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_intmodedep.h    2017-05-11 16:28:54 UTC (rev 779)
@@ -793,7 +793,11 @@
 #endif


/* The rest have to be copied from the previous frame whenever a new frame
- becomes current. */
+ becomes current. The final field is specified as a large vector so that
+ runtime array bound checks don't catch references to it. However, for any
+ specific call to pcre2_match() the memory allocated for each frame structure
+ allows for exactly the right size ovector for the number of capturing
+ parentheses. */ 

   PCRE2_SPTR eptr;           /* MUST BE FIRST */
   PCRE2_SPTR start_match;    /* Can be adjusted by \K */
@@ -802,7 +806,7 @@
   uint32_t capture_last;     /* Most recent capture */
   PCRE2_SIZE last_group_offset;  /* Saved offset to most recent group frame */
   PCRE2_SIZE offset_top;     /* Offset after highest capture */
-  PCRE2_SIZE ovector[2];     /* Must be last in the structure */
+  PCRE2_SIZE ovector[10000]; /* Must be last in the structure */
 } heapframe;


typedef char check_heapframe_size[ 

Modified: code/trunk/src/pcre2_match.c
===================================================================
--- code/trunk/src/pcre2_match.c    2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_match.c    2017-05-11 16:28:54 UTC (rev 779)
@@ -189,7 +189,7 @@
 allocated is bigger so we want to be able to address more elements. Without the 
 case, -fsanitize=undefined grumbles at this. */


-#define Fovector           ((PCRE2_SIZE *)(F->ovector))
+#define Fovector           F->ovector



#ifdef DEBUG_FRAMES_DISPLAY
@@ -6281,7 +6281,8 @@
has to be expanded. We therefore put it into the match block so that it is
correct when calling match() more than once for non-anchored patterns. */

-frame_size = sizeof(heapframe) + ((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE));
+frame_size = offsetof(heapframe, ovector) +
+ re->top_bracket * 2 * sizeof(PCRE2_SIZE);

/* Limits set in the pattern override the match context only if they are
smaller. */ 

Modified: code/trunk/src/pcre2_pattern_info.c
===================================================================
--- code/trunk/src/pcre2_pattern_info.c    2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_pattern_info.c    2017-05-11 16:28:54 UTC (rev 779)
@@ -160,8 +160,8 @@
   break;


   case PCRE2_INFO_FRAMESIZE:
-  *((size_t *)where) = sizeof(heapframe) +
-    ((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE));
+  *((size_t *)where) = offsetof(heapframe, ovector) +
+    re->top_bracket * 2 * sizeof(PCRE2_SIZE);
   break;


case PCRE2_INFO_HASBACKSLASHC:
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [778] code/trunk: Refactor to avoid sanitize warnings when accessing the variable size ovector in[Pcre-svn] [780] code/trunk/src: More refactoring for ovector addressing.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)