Fix name table sort buffer overflow.

This commit is contained in:
Philip.Hazel 2016-12-21 17:09:11 +00:00
parent dfff2fbc9f
commit 3df9674c4e
4 changed files with 14 additions and 6 deletions

View File

@ -48,11 +48,12 @@ parenthesis item, not the length of the whole group. A length of zero is now
given only for a callout at the end of the pattern. Automatic callouts are no
longer inserted before and after explicit callouts in the pattern.
Some bugs in the refactored code were subsequently fixed before release.
Several of them were related to the change from assuming a zero-terminated
pattern (which previously had required non-zero terminated strings to be
copied). These bugs were never in released code, but are noted here for the
record, once the code was made available in the repository.
A number of bugs in the refactored code were subsequently fixed before release,
but after the code was made available in the repository. Many of the bugs were
discovered by fuzzing testing. Several of them were related to the change from
assuming a zero-terminated pattern (which previously had required non-zero
terminated strings to be copied). These bugs were never in released code, but
are noted here for the record.
(a) An overall recursion such as (?0) inside a lookbehind assertion was not
being diagnosed as an error.
@ -106,6 +107,9 @@ record, once the code was made available in the repository.
followed by '?' or '+', and there was at least one literal character
between them, an internal error "unexpected repeat" occurred (example:
/.+\QX\E+/).
(p) A buffer overflow could occur while sorting the names in the group name
list (depending on the order in which the names were seen).
4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the

View File

@ -8273,7 +8273,7 @@ for (i = 0; i < tablecount; i++)
if (crc < 0)
{
memmove(slot + cb->name_entry_size, slot,
CU2BYTES((cb->names_found - i) * cb->name_entry_size));
CU2BYTES((tablecount - i) * cb->name_entry_size));
break;
}

2
testdata/testinput1 vendored
View File

@ -5818,4 +5818,6 @@ ef) x/x,mark
/(Z)(a)\2{1,2}?(?-i)\1X/i
ZaAAZX
/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
# End of testinput1

View File

@ -9295,4 +9295,6 @@ No match
1: Z
2: a
/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
# End of testinput1