Fix lookbehind within lookahead within lookbehind misbehaviour bug.

2019-07-16 15:06:21 +00:00 · 2019-07-16 15:06:21 +00:00 · 046c5cd21c
parent 66811c6c73
commit 046c5cd21c
6 changed files with 76 additions and 29 deletions
--- a/5
+++ b/5
@ -90,6 +90,11 @@ Clusterfuzz issue 15636.
 18. Implement non-atomic positive lookaround assertions.
 19. If a lookbehind contained a lookahead that contained another lookbehind
 within it, the nested lookbehind was not correctly processed. For example, if 
 /(?<=(?=(?<=a)))b/ was matched to "ab" it gave no match instead of matching 
 "b".
 Version 10.33 16-April-2019
 ---------------------------
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@ -135,6 +135,8 @@ static BOOL
  set_lookbehind_lengths(uint32_t **, int *, int *, int *,
    parsed_recurse_check *, compile_block *);
 static int
  check_lookbehinds(uint32_t *, uint32_t **, compile_block *);
 /*************************************************
@ -9108,16 +9110,16 @@ for (;; pptr++)
      }
    break;
-    /* Lookaheads can be ignored, but we must start the skip inside the group
+    /* Lookaheads do not contribute to the length of this branch, but they may
-    so that it isn't treated as a group within the branch. */
+    contain lookbehinds within them whose lengths need to be set. */
    case META_LOOKAHEAD:
    case META_LOOKAHEADNOT:
    case META_LOOKAHEAD_NA:
-    pptr = parsed_skip(pptr + 1, PSKIP_KET);
+    *errcodeptr = check_lookbehinds(pptr + 1, &pptr, cb);
-    if (pptr == NULL) goto PARSED_SKIP_FAILED;
+    if (*errcodeptr != 0) return -1;
-    /* Also ignore any qualifiers that follow a lookahead assertion. */
+    /* Ignore any qualifiers that follow a lookahead assertion. */
    switch (pptr[1])
      {
@ -9454,21 +9456,29 @@ set_lookbehind_lengths() for each one. At the start, the errorcode is zero and
 the error offset is marked unset. The enables the functions above not to
 override settings from deeper nestings.
-Arguments cb      points to the compile block
+This function is called recursively from get_branchlength() for lookaheads in
 order to process any lookbehinds that they may contain. It stops when it hits a
 non-nested closing parenthesis in this case, returning a pointer to it.
 Arguments
  pptr    points to where to start (start of pattern or start of lookahead)
  retptr  if not NULL, return the ket pointer here
  cb      points to the compile block
 Returns:  0 on success, or an errorcode (cb->erroroffset will be set)
 */
 static int
-check_lookbehinds(compile_block *cb)
+check_lookbehinds(uint32_t *pptr, uint32_t **retptr, compile_block *cb)
 {
 uint32_t *pptr;
 int max;
 int errorcode = 0;
 int loopcount = 0;
 int nestlevel = 0;
 cb->erroroffset = PCRE2_UNSET;
-for (pptr = cb->parsed_pattern; *pptr != META_END; pptr++)
+for (; *pptr != META_END; pptr++)
  {
  if (*pptr < META_END) continue;  /* Literal */
@ -9482,14 +9492,31 @@ for (pptr = cb->parsed_pattern; *pptr != META_END; pptr++)
      pptr += 1;
    break;
    case META_KET:
    if (--nestlevel < 0)
      {
      if (retptr != NULL) *retptr = pptr;
      return 0;
      }
    break;
    case META_ATOMIC:
    case META_CAPTURE:
    case META_COND_ASSERT:
    case META_LOOKAHEAD:
    case META_LOOKAHEADNOT:
    case META_LOOKAHEAD_NA:
    case META_NOCAPTURE:
    case META_SCRIPT_RUN:
    nestlevel++;
    break;
    case META_ACCEPT:
    case META_ALT:
    case META_ASTERISK:
    case META_ASTERISK_PLUS:
    case META_ASTERISK_QUERY:
    case META_ATOMIC:
    case META_BACKREF:
    case META_CAPTURE:
    case META_CIRCUMFLEX:
    case META_CLASS:
    case META_CLASS_EMPTY:
@ -9497,15 +9524,9 @@ for (pptr = cb->parsed_pattern; *pptr != META_END; pptr++)
    case META_CLASS_END:
    case META_CLASS_NOT:
    case META_COMMIT:
    case META_COND_ASSERT:
    case META_DOLLAR:
    case META_DOT:
    case META_FAIL:
    case META_KET:
    case META_LOOKAHEAD:
    case META_LOOKAHEADNOT:
    case META_LOOKAHEAD_NA:
    case META_NOCAPTURE:
    case META_PLUS:
    case META_PLUS_PLUS:
    case META_PLUS_QUERY:
@ -9515,7 +9536,6 @@ for (pptr = cb->parsed_pattern; *pptr != META_END; pptr++)
    case META_QUERY_QUERY:
    case META_RANGE_ESCAPED:
    case META_RANGE_LITERAL:
    case META_SCRIPT_RUN:
    case META_SKIP:
    case META_THEN:
    break;
@ -10021,7 +10041,7 @@ lengths. */
 if (has_lookbehind)
  {
-  errorcode = check_lookbehinds(&cb);
+  errorcode = check_lookbehinds(cb.parsed_pattern, NULL, &cb);
  if (errorcode != 0) goto HAD_CB_ERROR;
  }
--- a/testdata/testinput1
+++ b/testdata/testinput1
@ -6377,4 +6377,10 @@ ef) x/x,mark
 /(?<=a(*SKIP)x)|d/
    abcd
 /(?<=(?=.(?<=x)))/aftertext
    abx
 /(?<=(?=(?<=a)))b/
    ab
 # End of testinput1 
--- a/testdata/testinput2
+++ b/testdata/testinput2
@ -5690,4 +5690,7 @@ a)"xI
 # ----
 /(?<=(?=.(?<=x)))/
    ab\=ph
 # End of testinput2
--- a/testdata/testoutput1
+++ b/testdata/testoutput1
@ -10097,4 +10097,13 @@ No match
    abcd
 0: d
 /(?<=(?=.(?<=x)))/aftertext
    abx
 0: 
 0+ x
 /(?<=(?=(?<=a)))b/
    ab
 0: b
 # End of testinput1 
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@ -17185,6 +17185,10 @@ Subject length lower bound = 1
 # ----
 /(?<=(?=.(?<=x)))/
    ab\=ph
 No match
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data