Fix read beyond unterminated quantifier at end of pattern.

This commit is contained in:
Philip.Hazel 2016-11-01 12:12:45 +00:00
parent d3b60a9b7d
commit 12a6d697fe
4 changed files with 16 additions and 7 deletions

View File

@ -31,7 +31,12 @@ some minor bugs and Perl incompatibilities were fixed, including:
group whose name began with "R".
(f) The amount of memory needed for a compiled pattern was miscalculated if a
lookbehind contained more than one toplevel branch and the first branch
was of length zero.
was of length zero.
(g) In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
terminated pattern, if a # comment ran on to the end of the pattern, one
or more code units past the end were being read.
(h) An unterminated repeat at the end of a non-zero-terminated pattern (e.g.
"{2,2") could cause reading beyond the pattern.
One effect of the refactoring is that some error numbers and messages have
changed, and the pattern offset given for compiling errors is not always the
@ -117,10 +122,6 @@ library containing a test function that can be called by fuzzers to be
compiled. A non-installed binary to run the test function locally, called
pcre2fuzzcheck is also compiled.
18. In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero-
terminated pattern, if a # comment ran on to the end of the pattern, one or
more code units past the end were being read.
Version 10.22 29-July-2016
--------------------------

View File

@ -1187,7 +1187,7 @@ read_repeat_counts(PCRE2_SPTR *ptrptr, PCRE2_SPTR ptrend, uint32_t *minp,
PCRE2_SPTR p = *ptrptr;
BOOL yield = FALSE;
int32_t min = 0;
int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPAT_COUNT */
int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */
/* NB read_number() initializes the error code to zero. The only error is for a
number that is too big. */
@ -1209,7 +1209,7 @@ else
if (*p != CHAR_RIGHT_CURLY_BRACKET)
{
if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max,
errorcodeptr) || *p != CHAR_RIGHT_CURLY_BRACKET)
errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET)
goto EXIT;
if (max < min)
{

4
testdata/testinput2 vendored
View File

@ -4900,4 +4900,8 @@ a)"xI
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
# /hex uses length, not zero-terminate
/'{2,2{2,2'/hex
# End of testinput2

View File

@ -15345,6 +15345,10 @@ Failed: error 125 at offset 2: lookbehind assertion is not fixed length
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
# /hex uses length, not zero-terminate
/'{2,2{2,2'/hex
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data