[Pcre-svn] [1740] code/trunk: Fix subject buffer overread in…

Top Page
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1740] code/trunk: Fix subject buffer overread in JIT.
Revision: 1740
          http://vcs.pcre.org/viewvc?view=rev&revision=1740
Author:   zherczeg
Date:     2018-09-21 08:34:10 +0100 (Fri, 21 Sep 2018)
Log Message:
-----------
Fix subject buffer overread in JIT.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_jit_compile.c


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2018-09-02 17:05:38 UTC (rev 1739)
+++ code/trunk/ChangeLog    2018-09-21 07:34:10 UTC (rev 1740)
@@ -37,7 +37,10 @@
 assumed empty second branch cannot be anchored. Demonstrated by test patterns 
 such as /(?(1)^())b/ or /(?(?=^))b/.


+7. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
+a greater than 1 fixed quantifier. This issue was found by Yunho Kim.

+
Version 8.42 20-March-2018
--------------------------


Modified: code/trunk/pcre_jit_compile.c
===================================================================
--- code/trunk/pcre_jit_compile.c    2018-09-02 17:05:38 UTC (rev 1739)
+++ code/trunk/pcre_jit_compile.c    2018-09-21 07:34:10 UTC (rev 1740)
@@ -9002,7 +9002,7 @@
 #ifdef SUPPORT_UTF
       && !common->utf
 #endif
-      )
+      && type != OP_ANYNL && type != OP_EXTUNI)
     {
     OP2(SLJIT_ADD, TMP1, 0, STR_PTR, 0, SLJIT_IMM, IN_UCHARS(exact));
     add_jump(compiler, &backtrack->topbacktracks, CMP(SLJIT_GREATER, TMP1, 0, STR_END, 0));