Fix empty comment (?#) bug

This commit is contained in:
Philip.Hazel 2015-07-17 16:25:21 +00:00
parent d702527628
commit 21b15d96f2
4 changed files with 37 additions and 13 deletions

View File

@ -46,6 +46,10 @@ for example, /(?(R))*+/, was incorrectly compiled.
12. The Unicode tables have been updated to Unicode 8.0.0 (thanks to Christian
Persch).
13. An empty comment (?#) in a pattern was incorrectly processed and could
provoke a buffer overflow. This bug was discovered by Karl Skomski with the
LLVM fuzzer.
Version 10.20 30-June-2015
--------------------------

View File

@ -2997,6 +2997,7 @@ int namelen;
int i;
BOOL inescq = FALSE;
BOOL isdupname;
BOOL skiptoket = FALSE;
BOOL utf = (options & PCRE2_UTF) != 0;
BOOL negate_class;
PCRE2_SPTR name;
@ -3010,6 +3011,16 @@ for (; ptr < cb->end_pattern; ptr++)
{
c = *ptr;
/* Parenthesized groups set skiptoket when all following characters up to the
next closing parenthesis must be ignored. The parenthesis itself must be
processed (to end the nested parenthesized item). */
if (skiptoket)
{
if (c != CHAR_RIGHT_PARENTHESIS) continue;
skiptoket = FALSE;
}
/* Skip over literals */
if (inescq)
@ -3178,8 +3189,13 @@ for (; ptr < cb->end_pattern; ptr++)
default:
ptr += 2;
if (ptr[0] == CHAR_R || /* (?R) */
ptr[0] == CHAR_NUMBER_SIGN || /* (?#) */
IS_DIGIT(ptr[0]) || /* (?n) */
(ptr[0] == CHAR_MINUS && IS_DIGIT(ptr[1]))) break; /* (?-n) */
(ptr[0] == CHAR_MINUS && IS_DIGIT(ptr[1]))) /* (?-n) */
{
skiptoket = TRUE;
break;
}
/* Handle (?| and (?imsxJU: which are the only other valid forms. Both
need a new block on the nest stack. */
@ -3304,16 +3320,6 @@ for (; ptr < cb->end_pattern; ptr++)
while (ptr[0] != delimiter);
break;
case CHAR_NUMBER_SIGN:
ptr += 3;
while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
if (*ptr != CHAR_RIGHT_PARENTHESIS)
{
errorcode = ERR18;
goto FAILED;
}
break;
case CHAR_LEFT_PARENTHESIS:
nest_depth++;
/* Fall through */

4
testdata/testinput2 vendored
View File

@ -4342,4 +4342,8 @@ a random value. /Ix
/(?(R))*+/B
abcd
/((?x)(?#))#(?'/
/((?x)(?#))#(?'abc')/I
# End of testinput2

10
testdata/testoutput2 vendored
View File

@ -14514,4 +14514,14 @@ Failed: error 124 at offset 10: unrecognized character after (?<
abcd
0:
/((?x)(?#))#(?'/
Failed: error 124 at offset 14: unrecognized character after (?<
/((?x)(?#))#(?'abc')/I
Capturing subpattern count = 2
Named capturing subpatterns:
abc 2
First code unit = '#'
Subject length lower bound = 1
# End of testinput2