From 16de9003e59e782ba8cc151708e45aafbfdd74b2 Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Mon, 22 Apr 2019 12:39:38 +0000 Subject: [PATCH] Implement a check on the number of capturing parentheses, which for some reason has never existed. This fixes ClusterFuzz issue 14376. --- ChangeLog | 8 ++++++++ configure.ac | 6 +++--- src/pcre2.h.in | 1 + src/pcre2_compile.c | 12 +++++++++++- src/pcre2_error.c | 1 + testdata/testinput11 | 2 ++ testdata/testinput2 | 4 ++++ testdata/testinput9 | 2 ++ testdata/testoutput11-16 | 3 +++ testdata/testoutput11-32 | 2 ++ testdata/testoutput2 | 6 ++++++ testdata/testoutput9 | 3 +++ 12 files changed, 46 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 66c6d0b..da4ffb6 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,14 @@ Change Log for PCRE2 -------------------- +Version 10.34 22-April-2019 +--------------------------- + +1. The maximum number of capturing subpatterns is 65535 (documented), but no +check on this was ever implemented. This omission has been rectified; it fixes +ClusterFuzz 14376. + + Version 10.33 16-April-2019 --------------------------- diff --git a/configure.ac b/configure.ac index 93c2b53..35b947b 100644 --- a/configure.ac +++ b/configure.ac @@ -9,9 +9,9 @@ dnl The PCRE2_PRERELEASE feature is for identifying release candidates. It might dnl be defined as -RC2, for example. For real releases, it should be empty. m4_define(pcre2_major, [10]) -m4_define(pcre2_minor, [33]) -m4_define(pcre2_prerelease, []) -m4_define(pcre2_date, [2019-04-16]) +m4_define(pcre2_minor, [34]) +m4_define(pcre2_prerelease, [-RC1]) +m4_define(pcre2_date, [2019-04-22]) # NOTE: The CMakeLists.txt file searches for the above variables in the first # 50 lines of this file. Please update that if the variables above are moved. diff --git a/src/pcre2.h.in b/src/pcre2.h.in index 9415d70..29f3688 100644 --- a/src/pcre2.h.in +++ b/src/pcre2.h.in @@ -305,6 +305,7 @@ pcre2_pattern_convert(). */ #define PCRE2_ERROR_INVALID_HYPHEN_IN_OPTIONS 194 #define PCRE2_ERROR_ALPHA_ASSERTION_UNKNOWN 195 #define PCRE2_ERROR_SCRIPT_RUN_NOT_AVAILABLE 196 +#define PCRE2_ERROR_TOO_MANY_CAPTURES 197 /* "Expected" matching error codes: no match and partial match. */ diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index 068735a..cd6fbea 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -781,7 +781,7 @@ enum { ERR0 = COMPILE_ERROR_BASE, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79, ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERR88, ERR89, ERR90, - ERR91, ERR92, ERR93, ERR94, ERR95, ERR96 }; + ERR91, ERR92, ERR93, ERR94, ERR95, ERR96, ERR97 }; /* This is a table of start-of-pattern options such as (*UTF) and settings such as (*LIMIT_MATCH=nnnn) and (*CRLF). For completeness and backward @@ -3611,6 +3611,11 @@ while (ptr < ptrend) nest_depth++; if ((options & PCRE2_NO_AUTO_CAPTURE) == 0) { + if (cb->bracount >= MAX_GROUP_NUMBER) + { + errorcode = ERR97; + goto FAILED; + } cb->bracount++; *parsed_pattern++ = META_CAPTURE | cb->bracount; } @@ -4435,6 +4440,11 @@ while (ptr < ptrend) /* We have a name for this capturing group. It is also assigned a number, which is its primary means of identification. */ + if (cb->bracount >= MAX_GROUP_NUMBER) + { + errorcode = ERR97; + goto FAILED; + } cb->bracount++; *parsed_pattern++ = META_CAPTURE | cb->bracount; nest_depth++; diff --git a/src/pcre2_error.c b/src/pcre2_error.c index 1d02cf1..5517e74 100644 --- a/src/pcre2_error.c +++ b/src/pcre2_error.c @@ -184,6 +184,7 @@ static const unsigned char compile_error_texts[] = /* 95 */ "(*alpha_assertion) not recognized\0" "script runs require Unicode support, which this version of PCRE2 does not have\0" + "too many capturing groups (maximum 65535)\0" ; /* Match-time and UTF error texts are in the same format. */ diff --git a/testdata/testinput11 b/testdata/testinput11 index 2d267d6..fca6042 100644 --- a/testdata/testinput11 +++ b/testdata/testinput11 @@ -368,4 +368,6 @@ abÿAz ab\x{80000041}z +/\[()]{65535}/expand + # End of testinput11 diff --git a/testdata/testinput2 b/testdata/testinput2 index 9e59b62..8a98f94 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -5587,4 +5587,8 @@ a)"xI \= Expect error message abc\=null_context +/\[()]{65535}()/expand + +/\[()]{65535}(?)/expand + # End of testinput2 diff --git a/testdata/testinput9 b/testdata/testinput9 index 7be4b15..792d610 100644 --- a/testdata/testinput9 +++ b/testdata/testinput9 @@ -260,4 +260,6 @@ /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ +/\[()]{65535}/expand + # End of testinput9 diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 index 78bf7fb..f2b9637 100644 --- a/testdata/testoutput11-16 +++ b/testdata/testoutput11-16 @@ -661,4 +661,7 @@ Subject length lower bound = 1 abÿAz ab\x{80000041}z +/\[()]{65535}/expand +Failed: error 120 at offset 131070: regular expression is too large + # End of testinput11 diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 index 4b00384..1908ab7 100644 --- a/testdata/testoutput11-32 +++ b/testdata/testoutput11-32 @@ -667,4 +667,6 @@ Subject length lower bound = 1 ab\x{80000041}z 0: ab\x{80000041}z +/\[()]{65535}/expand + # End of testinput11 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 2f91c38..158fbad 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -16934,6 +16934,12 @@ Subject length lower bound = 0 abc\=null_context ** Replacement callouts are not supported with null_context. +/\[()]{65535}()/expand +Failed: error 197 at offset 131071: too many capturing groups (maximum 65535) + +/\[()]{65535}(?)/expand +Failed: error 197 at offset 131075: too many capturing groups (maximum 65535) + # End of testinput2 Error -70: PCRE2_ERROR_BADDATA (unknown error number) Error -62: bad serialized data diff --git a/testdata/testoutput9 b/testdata/testoutput9 index f98f276..f66ca3d 100644 --- a/testdata/testoutput9 +++ b/testdata/testoutput9 @@ -367,4 +367,7 @@ Failed: error 134 at offset 14: character code point value in \x{} or \o{} is to /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ Failed: error 176 at offset 259: name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN) +/\[()]{65535}/expand +Failed: error 120 at offset 131070: regular expression is too large + # End of testinput9