From 098562db961ae331c4bfeb07ffc66c4a0727020f Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Wed, 15 Jul 2015 09:08:12 +0000 Subject: [PATCH] Fix [[:>:]] when followed by parenthesis buffer overflow. --- ChangeLog | 4 ++++ src/pcre2_compile.c | 7 ++++--- testdata/testinput2 | 2 ++ testdata/testoutput2 | 3 +++ 4 files changed, 13 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index e5a47da..f3efcb8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,10 @@ pcre2_auto_possessify.c source. 4. Fix typos in dftables.c for z/OS. +5. Change 36 for 10.20 broke the handling of [[:>:]] and [[:<:]] in that +processing them could involve a buffer overflow if the following character was +an opening parenthesis. + Version 10.20 30-June-2015 -------------------------- diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index 4a9e42e..90342e3 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -3238,7 +3238,7 @@ for (; ptr < cb->end_pattern; ptr++) if (PRIV(strncmp_c8)(ptr+1, STRING_WEIRD_STARTWORD, 6) == 0 || PRIV(strncmp_c8)(ptr+1, STRING_WEIRD_ENDWORD, 6) == 0) { - ptr += 7; + ptr += 6; break; } @@ -3303,8 +3303,9 @@ for (; ptr < cb->end_pattern; ptr++) if (c == CHAR_LEFT_SQUARE_BRACKET && (ptr[1] == CHAR_COLON || ptr[1] == CHAR_DOT || ptr[1] == CHAR_EQUALS_SIGN) && check_posix_syntax(ptr, &ptr)) - ptr ++; - + { + ptr++; + } else if (c == CHAR_BACKSLASH) { errorcode = 0; diff --git a/testdata/testinput2 b/testdata/testinput2 index e0e149f..9f12fd9 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4327,4 +4327,6 @@ a random value. /Ix /^(?:(?(1)x|)+)+$()/B +/[[:>:]](?<)/ + # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index b628466..f3e236c 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14470,4 +14470,7 @@ Failed: error 161 at offset 32: number is too big End ------------------------------------------------------------------ +/[[:>:]](?<)/ +Failed: error 124 at offset 10: unrecognized character after (?< + # End of testinput2