From 21c084125ce27a9938f0f02eff674516e7e8685b Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Thu, 10 Nov 2016 17:08:27 +0000 Subject: [PATCH] Fix global overflow bug for get/copy names in pcre2test. --- ChangeLog | 3 +++ src/pcre2test.c | 12 +++++++++--- testdata/testinput2 | 4 ++++ testdata/testoutput2 | 6 ++++++ 4 files changed, 22 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index 5678765..57d9ec0 100644 --- a/ChangeLog +++ b/ChangeLog @@ -157,6 +157,9 @@ obsolete these days and in any case had become very haphazard. 22. Add the use_length modifier to pcre2test. +23. Fix an off-by-one bug in pcre2test for the list of names for 'get' and +'copy' modifiers. + Version 10.22 29-July-2016 -------------------------- diff --git a/src/pcre2test.c b/src/pcre2test.c index cd1255b..eb8b5cc 100644 --- a/src/pcre2test.c +++ b/src/pcre2test.c @@ -3556,10 +3556,16 @@ for (;;) char *nn = (char *)field; if (len > 0) /* Add new name */ { - while (*nn != 0) nn += strlen(nn) + 1; - if (nn + len + 1 - (char *)field > LENCPYGET) + if (len > MAX_NAME_SIZE) { - fprintf(outfile, "** Too many named '%s' modifiers\n", m->name); + fprintf(outfile, "** Group name in '%s' is too long\n", m->name); + return FALSE; + } + while (*nn != 0) nn += strlen(nn) + 1; + if (nn + len + 2 - (char *)field > LENCPYGET) + { + fprintf(outfile, "** Too many characters in named '%s' modifiers\n", + m->name); return FALSE; } memcpy(nn, pp, len); diff --git a/testdata/testinput2 b/testdata/testinput2 index 4c7ddc8..2d65700 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4908,4 +4908,8 @@ a)"xI /{„Í„ÍÍ„Í{'{22{2{{2{'{22{{22{2{'{22{2{{2{{222{{2{'{22{2{22{2{'{22{2{{2{'{22{2{22{2{'{'{22{2{22{2{'{22{2{{2{'{22{2{22{2{'{222{2Ä„Í„ÍÍ„Í{'{22{2{{2{'{22{{11{2{'{22{2{{2{{'{22{2{{2{'{22{{22{1{'{22{2{{2{{222{{2{'{22{2{22{2{'{/auto_callout +// +\=get=i00000000000000000000000000000000 +\=get=i2345678901234567890123456789012,get=i1245678901234567890123456789012 + # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 85137dd..71358cc 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -15355,6 +15355,12 @@ Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, /{„Í„ÍÍ„Í{'{22{2{{2{'{22{{22{2{'{22{2{{2{{222{{2{'{22{2{22{2{'{22{2{{2{'{22{2{22{2{'{'{22{2{22{2{'{22{2{{2{'{22{2{22{2{'{222{2Ä„Í„ÍÍ„Í{'{22{2{{2{'{22{{11{2{'{22{2{{2{{'{22{2{{2{'{22{{22{1{'{22{2{{2{{222{{2{'{22{2{22{2{'{/auto_callout +// +\=get=i00000000000000000000000000000000 +** Group name in 'get' is too long +\=get=i2345678901234567890123456789012,get=i1245678901234567890123456789012 +** Too many characters in named 'get' modifiers + # End of testinput2 Error -63: PCRE2_ERROR_BADDATA (unknown error number) Error -62: bad serialized data