Fix read beyond unterminated quantifier at end of pattern.
This commit is contained in:
Philip.Hazel
parent
d3b60a9b7d
commit
12a6d697fe
11
ChangeLog
11
ChangeLog
|
|
@ -31,7 +31,12 @@ some minor bugs and Perl incompatibilities were fixed, including:
|
|||
group whose name began with "R".
|
||||
(f) The amount of memory needed for a compiled pattern was miscalculated if a
|
||||
lookbehind contained more than one toplevel branch and the first branch
|
||||
was of length zero.
|
||||
was of length zero.
|
||||
(g) In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
|
||||
terminated pattern, if a # comment ran on to the end of the pattern, one
|
||||
or more code units past the end were being read.
|
||||
(h) An unterminated repeat at the end of a non-zero-terminated pattern (e.g.
|
||||
"{2,2") could cause reading beyond the pattern.
|
||||
|
||||
One effect of the refactoring is that some error numbers and messages have
|
||||
changed, and the pattern offset given for compiling errors is not always the
|
||||
|
|
@ -117,10 +122,6 @@ library containing a test function that can be called by fuzzers to be
|
|||
compiled. A non-installed binary to run the test function locally, called
|
||||
pcre2fuzzcheck is also compiled.
|
||||
|
||||
18. In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
|
||||
terminated pattern, if a # comment ran on to the end of the pattern, one or
|
||||
more code units past the end were being read.
|
||||
|
||||
|
||||
Version 10.22 29-July-2016
|
||||
--------------------------
|
||||
|
|
|
|||
|
|
@ -1187,7 +1187,7 @@ read_repeat_counts(PCRE2_SPTR *ptrptr, PCRE2_SPTR ptrend, uint32_t *minp,
|
|||
PCRE2_SPTR p = *ptrptr;
|
||||
BOOL yield = FALSE;
|
||||
int32_t min = 0;
|
||||
int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPAT_COUNT */
|
||||
int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */
|
||||
|
||||
/* NB read_number() initializes the error code to zero. The only error is for a
|
||||
number that is too big. */
|
||||
|
|
@ -1209,7 +1209,7 @@ else
|
|||
if (*p != CHAR_RIGHT_CURLY_BRACKET)
|
||||
{
|
||||
if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max,
|
||||
errorcodeptr) || *p != CHAR_RIGHT_CURLY_BRACKET)
|
||||
errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET)
|
||||
goto EXIT;
|
||||
if (max < min)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -4900,4 +4900,8 @@ a)"xI
|
|||
|
||||
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
|
||||
|
||||
# /hex uses length, not zero-terminate
|
||||
|
||||
/'{2,2{2,2'/hex
|
||||
|
||||
# End of testinput2
|
||||
|
|
|
|||
|
|
@ -15345,6 +15345,10 @@ Failed: error 125 at offset 2: lookbehind assertion is not fixed length
|
|||
|
||||
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
|
||||
|
||||
# /hex uses length, not zero-terminate
|
||||
|
||||
/'{2,2{2,2'/hex
|
||||
|
||||
# End of testinput2
|
||||
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
|
||||
Error -62: bad serialized data
|
||||
|
|
|
|||
Loading…
Reference in New Issue