walkero
/
pcre2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix name table sort buffer overflow.

This commit is contained in:
Philip.Hazel 2016-12-21 17:09:11 +00:00
parent dfff2fbc9f
commit 3df9674c4e
4 changed files with 14 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
ChangeLog
View File

@ -48,11 +48,12 @@ parenthesis item, not the length of the whole group. A length of zero is now
given only for a callout at the end of the pattern. Automatic callouts are no given only for a callout at the end of the pattern. Automatic callouts are no
longer inserted before and after explicit callouts in the pattern. longer inserted before and after explicit callouts in the pattern.
Some bugs in the refactored code were subsequently fixed before release. A number of bugs in the refactored code were subsequently fixed before release,
Several of them were related to the change from assuming a zero-terminated but after the code was made available in the repository. Many of the bugs were
pattern (which previously had required non-zero terminated strings to be discovered by fuzzing testing. Several of them were related to the change from
copied). These bugs were never in released code, but are noted here for the assuming a zero-terminated pattern (which previously had required non-zero
record, once the code was made available in the repository. terminated strings to be copied). These bugs were never in released code, but
are noted here for the record.
(a) An overall recursion such as (?0) inside a lookbehind assertion was not (a) An overall recursion such as (?0) inside a lookbehind assertion was not
being diagnosed as an error. being diagnosed as an error.
@ -107,6 +108,9 @@ record, once the code was made available in the repository.
between them, an internal error "unexpected repeat" occurred (example: between them, an internal error "unexpected repeat" occurred (example:
/.+\QX\E+/). /.+\QX\E+/).
(p) A buffer overflow could occur while sorting the names in the group name
list (depending on the order in which the names were seen).
4. Back references are now permitted in lookbehind assertions when there are 4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the no duplicated group numbers (that is, (?| has not been used), and, if the
reference is by name, there is only one group of that name. The referenced reference is by name, there is only one group of that name. The referenced

2
src/pcre2_compile.c
View File

@ -8273,7 +8273,7 @@ for (i = 0; i < tablecount; i++)
if (crc < 0) if (crc < 0)
{ {
memmove(slot + cb->name_entry_size, slot, memmove(slot + cb->name_entry_size, slot,
CU2BYTES((cb->names_found - i) * cb->name_entry_size)); CU2BYTES((tablecount - i) * cb->name_entry_size));
break; break;
} }

2
testdata/testinput1 vendored
View File

@ -5818,4 +5818,6 @@ ef) x/x,mark
/(Z)(a)\2{1,2}?(?-i)\1X/i /(Z)(a)\2{1,2}?(?-i)\1X/i
ZaAAZX ZaAAZX
/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
# End of testinput1 # End of testinput1

2
testdata/testoutput1 vendored
View File

@ -9295,4 +9295,6 @@ No match
1: Z 1: Z
2: a 2: a
/(?'c')XX(?'YYYYYYYYYYYYYYYYYYYYYYYCl')/
# End of testinput1 # End of testinput1