Fix bad compile for possessive quantifier on group containing a subroutine
reference.
This commit is contained in:
parent
63cab0dba9
commit
2327a5860b
|
@ -50,6 +50,11 @@ assertion after (?(. The code was failing to check the character after (?(?<
|
|||
for the ! or = that would indicate a lookbehind assertion. This bug was
|
||||
discovered by the LLVM fuzzer.
|
||||
|
||||
13. A pattern such as /X((?2)()*+){2}+/ which has a possessive quantifier with
|
||||
a fixed maximum following a group that contains a subroutine reference was
|
||||
incorrectly compiled and could trigger buffer overflow. This bug was discovered
|
||||
by the LLVM fuzzer.
|
||||
|
||||
|
||||
Version 10.10 06-March-2015
|
||||
---------------------------
|
||||
|
|
|
@ -4520,6 +4520,7 @@ for (;; ptr++)
|
|||
{
|
||||
register int i;
|
||||
int len = (int)(code - previous);
|
||||
size_t base_hwm_offset = save_hwm_offset;
|
||||
PCRE2_UCHAR *bralink = NULL;
|
||||
PCRE2_UCHAR *brazeroptr = NULL;
|
||||
|
||||
|
@ -4668,20 +4669,20 @@ for (;; ptr++)
|
|||
|
||||
while (cb->hwm > cb->start_workspace + cb->workspace_size -
|
||||
WORK_SIZE_SAFETY_MARGIN -
|
||||
(this_hwm_offset - save_hwm_offset))
|
||||
(this_hwm_offset - base_hwm_offset))
|
||||
{
|
||||
*errorcodeptr = expand_workspace(cb);
|
||||
if (*errorcodeptr != 0) goto FAILED;
|
||||
}
|
||||
|
||||
for (hc = (PCRE2_UCHAR *)cb->start_workspace + save_hwm_offset;
|
||||
for (hc = (PCRE2_UCHAR *)cb->start_workspace + base_hwm_offset;
|
||||
hc < (PCRE2_UCHAR *)cb->start_workspace + this_hwm_offset;
|
||||
hc += LINK_SIZE)
|
||||
{
|
||||
PUT(cb->hwm, 0, GET(hc, 0) + len);
|
||||
cb->hwm += LINK_SIZE;
|
||||
}
|
||||
save_hwm_offset = this_hwm_offset;
|
||||
base_hwm_offset = this_hwm_offset;
|
||||
code += len;
|
||||
}
|
||||
}
|
||||
|
@ -4749,20 +4750,20 @@ for (;; ptr++)
|
|||
|
||||
while (cb->hwm > cb->start_workspace + cb->workspace_size -
|
||||
WORK_SIZE_SAFETY_MARGIN -
|
||||
(this_hwm_offset - save_hwm_offset))
|
||||
(this_hwm_offset - base_hwm_offset))
|
||||
{
|
||||
*errorcodeptr = expand_workspace(cb);
|
||||
if (*errorcodeptr != 0) goto FAILED;
|
||||
}
|
||||
|
||||
for (hc = (PCRE2_UCHAR *)cb->start_workspace + save_hwm_offset;
|
||||
for (hc = (PCRE2_UCHAR *)cb->start_workspace + base_hwm_offset;
|
||||
hc < (PCRE2_UCHAR *)cb->start_workspace + this_hwm_offset;
|
||||
hc += LINK_SIZE)
|
||||
{
|
||||
PUT(cb->hwm, 0, GET(hc, 0) + len + ((i != 0)? 2+LINK_SIZE : 1));
|
||||
cb->hwm += LINK_SIZE;
|
||||
}
|
||||
save_hwm_offset = this_hwm_offset;
|
||||
base_hwm_offset = this_hwm_offset;
|
||||
code += len;
|
||||
}
|
||||
|
||||
|
|
|
@ -4245,4 +4245,8 @@ a random value. /Ix
|
|||
|
||||
"(?(?<E>.*!.*)?)"
|
||||
|
||||
"X((?2)()*+){2}+"B
|
||||
|
||||
"X((?2)()*+){2}"B
|
||||
|
||||
# End of testinput2
|
||||
|
|
|
@ -14209,4 +14209,46 @@ Failed: error -52: nested recursion at the same subject position
|
|||
"(?(?<E>.*!.*)?)"
|
||||
Failed: error 128 at offset 3: assertion expected after (?( or (?(?C)
|
||||
|
||||
"X((?2)()*+){2}+"B
|
||||
------------------------------------------------------------------
|
||||
Bra
|
||||
X
|
||||
Once
|
||||
CBra 1
|
||||
Recurse
|
||||
Braposzero
|
||||
SCBraPos 2
|
||||
KetRpos
|
||||
Ket
|
||||
CBra 1
|
||||
Recurse
|
||||
Braposzero
|
||||
SCBraPos 2
|
||||
KetRpos
|
||||
Ket
|
||||
Ket
|
||||
Ket
|
||||
End
|
||||
------------------------------------------------------------------
|
||||
|
||||
"X((?2)()*+){2}"B
|
||||
------------------------------------------------------------------
|
||||
Bra
|
||||
X
|
||||
CBra 1
|
||||
Recurse
|
||||
Braposzero
|
||||
SCBraPos 2
|
||||
KetRpos
|
||||
Ket
|
||||
CBra 1
|
||||
Recurse
|
||||
Braposzero
|
||||
SCBraPos 2
|
||||
KetRpos
|
||||
Ket
|
||||
Ket
|
||||
End
|
||||
------------------------------------------------------------------
|
||||
|
||||
# End of testinput2
|
||||
|
|
Loading…
Reference in New Issue