diff --git a/ChangeLog b/ChangeLog index bb16e20..680d7f1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,6 +48,10 @@ generates *.pc files and pcre2-config with the same content, as in the past. single digit, the code unit beyond d was being read (i.e. there was a read buffer overflow). Fixes ClusterFuzz 23779. +9. After the rework in r1235, certain character ranges were incorrectly +handled by an optimization in JIT. Furthermore a wrong offset was used to +read a value from a buffer which could lead to memory overread. + Version 10.35 09-May-2020 --------------------------- diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c index 7c5d63b..2bd4275 100644 --- a/src/pcre2_jit_compile.c +++ b/src/pcre2_jit_compile.c @@ -1466,9 +1466,9 @@ do default: accelerated_start = NULL; fast_forward_allowed = FALSE; - break; + continue; } - continue; + break; case OP_ONCE: case OP_BRA: @@ -1834,57 +1834,57 @@ while (cc < ccend) case OP_BRAZERO: case OP_BRAMINZERO: case OP_BRAPOSZERO: - repeat_check = FALSE; size = 1; + repeat_check = FALSE; break; CASE_ITERATOR_PRIVATE_DATA_1 - space = 1; size = -2; + space = 1; break; CASE_ITERATOR_PRIVATE_DATA_2A - space = 2; size = -2; + space = 2; break; CASE_ITERATOR_PRIVATE_DATA_2B - space = 2; size = -(2 + IMM2_SIZE); + space = 2; break; CASE_ITERATOR_TYPE_PRIVATE_DATA_1 - space = 1; size = 1; + space = 1; break; CASE_ITERATOR_TYPE_PRIVATE_DATA_2A + size = 1; if (cc[1] != OP_ANYNL && cc[1] != OP_EXTUNI) space = 2; - size = 1; break; case OP_TYPEUPTO: + size = 1 + IMM2_SIZE; if (cc[1 + IMM2_SIZE] != OP_ANYNL && cc[1 + IMM2_SIZE] != OP_EXTUNI) space = 2; - size = 1 + IMM2_SIZE; break; case OP_TYPEMINUPTO: - space = 2; size = 1 + IMM2_SIZE; + space = 2; break; case OP_CLASS: case OP_NCLASS: - space = get_class_iterator_size(cc + size); size = 1 + 32 / sizeof(PCRE2_UCHAR); + space = get_class_iterator_size(cc + size); break; #if defined SUPPORT_UNICODE || PCRE2_CODE_UNIT_WIDTH != 8 case OP_XCLASS: - space = get_class_iterator_size(cc + size); size = GET(cc, 1); + space = get_class_iterator_size(cc + size); break; #endif diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c index 16dade7..b7856ad 100644 --- a/src/pcre2_jit_test.c +++ b/src/pcre2_jit_test.c @@ -350,6 +350,7 @@ static struct regression_test_case regression_test_cases[] = { { MU, A, 0, 0, ".[ab]*.", "xx" }, { MU, A, 0, 0, ".[ab]*a", "xxa" }, { MU, A, 0, 0, ".[ab]?.", "xx" }, + { MU, A, 0, 0, "_[ab]+_*a", "_aa" }, /* Bracket repeats with limit. */ { MU, A, 0, 0, "(?:(ab){2}){5}M", "abababababababababababM" },