[Pcre-svn] [1266] code/trunk: Fix read overflow for invalid …

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1266] code/trunk: Fix read overflow for invalid VERSION test with one fractional digit at the end
Revision: 1266
          http://www.exim.org/viewvc/pcre2?view=rev&revision=1266
Author:   ph10
Date:     2020-06-29 16:35:49 +0100 (Mon, 29 Jun 2020)
Log Message:
-----------
Fix read overflow for invalid VERSION test with one fractional digit at the end 
of a pattern. Fixes ClusterFuzz 23779.


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/src/pcre2_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2020-06-22 15:51:19 UTC (rev 1265)
+++ code/trunk/ChangeLog    2020-06-29 15:35:49 UTC (rev 1266)
@@ -44,7 +44,11 @@
 debug Windows builds using CMake. This also updated configure so that it
 generates *.pc files and pcre2-config with the same content, as in the past.


+8. If a pattern ended with (?(VERSION=n.d where n is any number but d is just a
+single digit, the code unit beyond d was being read (i.e. there was a read
+buffer overflow). Fixes ClusterFuzz 23779.

+
Version 10.35 09-May-2020
--------------------------- 


Modified: code/trunk/src/pcre2_compile.c
===================================================================
--- code/trunk/src/pcre2_compile.c    2020-06-22 15:51:19 UTC (rev 1265)
+++ code/trunk/src/pcre2_compile.c    2020-06-29 15:35:49 UTC (rev 1266)
@@ -4331,6 +4331,7 @@
           {
           if (++ptr >= ptrend || !IS_DIGIT(*ptr)) goto BAD_VERSION_CONDITION;
           minor = (*ptr++ - CHAR_0) * 10;
+          if (ptr >= ptrend) goto BAD_VERSION_CONDITION;
           if (IS_DIGIT(*ptr)) minor += *ptr++ - CHAR_0;
           if (ptr >= ptrend || *ptr != CHAR_RIGHT_PARENTHESIS)
             goto BAD_VERSION_CONDITION;


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2020-06-22 15:51:19 UTC (rev 1265)
+++ code/trunk/testdata/testinput2    2020-06-29 15:35:49 UTC (rev 1266)
@@ -5864,4 +5864,6 @@
 /"(*MARK:>" 00 "<).(?C1)."/hex,mark,no_start_optimize
     AB


+/(?(VERSION=0.0/
+
# End of testinput2 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2020-06-22 15:51:19 UTC (rev 1265)
+++ code/trunk/testdata/testoutput2    2020-06-29 15:35:49 UTC (rev 1266)
@@ -17621,6 +17621,9 @@
  0: AB
 MK: >\x00<


+/(?(VERSION=0.0/
+Failed: error 179 at offset 14: syntax error or number too big in (?(VERSION condition
+
# End of testinput2
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [1265] code/trunk: Fix Windows debug builds (Bugzilla #2600) using CMake.[Pcre-svn] [1267] code/trunk: Fix an early fail optimization issue and a buffer overread in JIT.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)