Revision: 779
http://www.exim.org/viewvc/pcre2?view=rev&revision=779
Author: ph10
Date: 2017-05-11 17:28:54 +0100 (Thu, 11 May 2017)
Log Message:
-----------
A better fix for oss-fuzz 1465.
Modified Paths:
--------------
code/trunk/src/pcre2_intmodedep.h
code/trunk/src/pcre2_match.c
code/trunk/src/pcre2_pattern_info.c
Modified: code/trunk/src/pcre2_intmodedep.h
===================================================================
--- code/trunk/src/pcre2_intmodedep.h 2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_intmodedep.h 2017-05-11 16:28:54 UTC (rev 779)
@@ -793,7 +793,11 @@
#endif
/* The rest have to be copied from the previous frame whenever a new frame
- becomes current. */
+ becomes current. The final field is specified as a large vector so that
+ runtime array bound checks don't catch references to it. However, for any
+ specific call to pcre2_match() the memory allocated for each frame structure
+ allows for exactly the right size ovector for the number of capturing
+ parentheses. */
PCRE2_SPTR eptr; /* MUST BE FIRST */
PCRE2_SPTR start_match; /* Can be adjusted by \K */
@@ -802,7 +806,7 @@
uint32_t capture_last; /* Most recent capture */
PCRE2_SIZE last_group_offset; /* Saved offset to most recent group frame */
PCRE2_SIZE offset_top; /* Offset after highest capture */
- PCRE2_SIZE ovector[2]; /* Must be last in the structure */
+ PCRE2_SIZE ovector[10000]; /* Must be last in the structure */
} heapframe;
typedef char check_heapframe_size[
Modified: code/trunk/src/pcre2_match.c
===================================================================
--- code/trunk/src/pcre2_match.c 2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_match.c 2017-05-11 16:28:54 UTC (rev 779)
@@ -189,7 +189,7 @@
allocated is bigger so we want to be able to address more elements. Without the
case, -fsanitize=undefined grumbles at this. */
-#define Fovector ((PCRE2_SIZE *)(F->ovector))
+#define Fovector F->ovector
#ifdef DEBUG_FRAMES_DISPLAY
@@ -6281,7 +6281,8 @@
has to be expanded. We therefore put it into the match block so that it is
correct when calling match() more than once for non-anchored patterns. */
-frame_size = sizeof(heapframe) + ((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE));
+frame_size = offsetof(heapframe, ovector) +
+ re->top_bracket * 2 * sizeof(PCRE2_SIZE);
/* Limits set in the pattern override the match context only if they are
smaller. */
Modified: code/trunk/src/pcre2_pattern_info.c
===================================================================
--- code/trunk/src/pcre2_pattern_info.c 2017-05-10 18:21:03 UTC (rev 778)
+++ code/trunk/src/pcre2_pattern_info.c 2017-05-11 16:28:54 UTC (rev 779)
@@ -160,8 +160,8 @@
break;
case PCRE2_INFO_FRAMESIZE:
- *((size_t *)where) = sizeof(heapframe) +
- ((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE));
+ *((size_t *)where) = offsetof(heapframe, ovector) +
+ re->top_bracket * 2 * sizeof(PCRE2_SIZE);
break;
case PCRE2_INFO_HASBACKSLASHC: