Revision: 1267
http://www.exim.org/viewvc/pcre2?view=rev&revision=1267
Author: zherczeg
Date: 2020-07-15 05:35:32 +0100 (Wed, 15 Jul 2020)
Log Message:
-----------
Fix an early fail optimization issue and a buffer overread in JIT.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_jit_compile.c
code/trunk/src/pcre2_jit_test.c
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2020-06-29 15:35:49 UTC (rev 1266)
+++ code/trunk/ChangeLog 2020-07-15 04:35:32 UTC (rev 1267)
@@ -48,7 +48,11 @@
single digit, the code unit beyond d was being read (i.e. there was a read
buffer overflow). Fixes ClusterFuzz 23779.
+9. After the rework in r1235, certain character ranges were incorrectly
+handled by an optimization in JIT. Furthermore a wrong offset was used to
+read a value from a buffer which could lead to memory overread.
+
Version 10.35 09-May-2020
---------------------------
Modified: code/trunk/src/pcre2_jit_compile.c
===================================================================
--- code/trunk/src/pcre2_jit_compile.c 2020-06-29 15:35:49 UTC (rev 1266)
+++ code/trunk/src/pcre2_jit_compile.c 2020-07-15 04:35:32 UTC (rev 1267)
@@ -1466,9 +1466,9 @@
default:
accelerated_start = NULL;
fast_forward_allowed = FALSE;
- break;
+ continue;
}
- continue;
+ break;
case OP_ONCE:
case OP_BRA:
@@ -1834,57 +1834,57 @@
case OP_BRAZERO:
case OP_BRAMINZERO:
case OP_BRAPOSZERO:
+ size = 1;
repeat_check = FALSE;
- size = 1;
break;
CASE_ITERATOR_PRIVATE_DATA_1
+ size = -2;
space = 1;
- size = -2;
break;
CASE_ITERATOR_PRIVATE_DATA_2A
+ size = -2;
space = 2;
- size = -2;
break;
CASE_ITERATOR_PRIVATE_DATA_2B
+ size = -(2 + IMM2_SIZE);
space = 2;
- size = -(2 + IMM2_SIZE);
break;
CASE_ITERATOR_TYPE_PRIVATE_DATA_1
+ size = 1;
space = 1;
- size = 1;
break;
CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+ size = 1;
if (cc[1] != OP_ANYNL && cc[1] != OP_EXTUNI)
space = 2;
- size = 1;
break;
case OP_TYPEUPTO:
+ size = 1 + IMM2_SIZE;
if (cc[1 + IMM2_SIZE] != OP_ANYNL && cc[1 + IMM2_SIZE] != OP_EXTUNI)
space = 2;
- size = 1 + IMM2_SIZE;
break;
case OP_TYPEMINUPTO:
+ size = 1 + IMM2_SIZE;
space = 2;
- size = 1 + IMM2_SIZE;
break;
case OP_CLASS:
case OP_NCLASS:
+ size = 1 + 32 / sizeof(PCRE2_UCHAR);
space = get_class_iterator_size(cc + size);
- size = 1 + 32 / sizeof(PCRE2_UCHAR);
break;
#if defined SUPPORT_UNICODE || PCRE2_CODE_UNIT_WIDTH != 8
case OP_XCLASS:
+ size = GET(cc, 1);
space = get_class_iterator_size(cc + size);
- size = GET(cc, 1);
break;
#endif
Modified: code/trunk/src/pcre2_jit_test.c
===================================================================
--- code/trunk/src/pcre2_jit_test.c 2020-06-29 15:35:49 UTC (rev 1266)
+++ code/trunk/src/pcre2_jit_test.c 2020-07-15 04:35:32 UTC (rev 1267)
@@ -350,6 +350,7 @@
{ MU, A, 0, 0, ".[ab]*.", "xx" },
{ MU, A, 0, 0, ".[ab]*a", "xxa" },
{ MU, A, 0, 0, ".[ab]?.", "xx" },
+ { MU, A, 0, 0, "_[ab]+_*a", "_aa" },
/* Bracket repeats with limit. */
{ MU, A, 0, 0, "(?:(ab){2}){5}M", "abababababababababababM" },
