From 12a6d697fe43ba304f78b61ef2571c629234876f Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Tue, 1 Nov 2016 12:12:45 +0000 Subject: [PATCH] Fix read beyond unterminated quantifier at end of pattern. --- ChangeLog | 11 ++++++----- src/pcre2_compile.c | 4 ++-- testdata/testinput2 | 4 ++++ testdata/testoutput2 | 4 ++++ 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index 64c8e78..3403d1d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -31,7 +31,12 @@ some minor bugs and Perl incompatibilities were fixed, including: group whose name began with "R". (f) The amount of memory needed for a compiled pattern was miscalculated if a lookbehind contained more than one toplevel branch and the first branch - was of length zero. + was of length zero. + (g) In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero- + terminated pattern, if a # comment ran on to the end of the pattern, one + or more code units past the end were being read. + (h) An unterminated repeat at the end of a non-zero-terminated pattern (e.g. + "{2,2") could cause reading beyond the pattern. One effect of the refactoring is that some error numbers and messages have changed, and the pattern offset given for compiling errors is not always the @@ -117,10 +122,6 @@ library containing a test function that can be called by fuzzers to be compiled. A non-installed binary to run the test function locally, called pcre2fuzzcheck is also compiled. -18. In UTF-8 or UTF-16 modes with PCRE2_EXTENDED (/x) set and a non-zero- -terminated pattern, if a # comment ran on to the end of the pattern, one or -more code units past the end were being read. - Version 10.22 29-July-2016 -------------------------- diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index 64ebc0d..06be3bf 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -1187,7 +1187,7 @@ read_repeat_counts(PCRE2_SPTR *ptrptr, PCRE2_SPTR ptrend, uint32_t *minp, PCRE2_SPTR p = *ptrptr; BOOL yield = FALSE; int32_t min = 0; -int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPAT_COUNT */ +int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */ /* NB read_number() initializes the error code to zero. The only error is for a number that is too big. */ @@ -1209,7 +1209,7 @@ else if (*p != CHAR_RIGHT_CURLY_BRACKET) { if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max, - errorcodeptr) || *p != CHAR_RIGHT_CURLY_BRACKET) + errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET) goto EXIT; if (max < min) { diff --git a/testdata/testinput2 b/testdata/testinput2 index fc16bec..92b0f32 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4900,4 +4900,8 @@ a)"xI /(?