Fix not diagnosis of missing ) for callout with string argument.

This commit is contained in:
Philip.Hazel 2015-07-21 14:03:08 +00:00
parent 01c4647b02
commit 688151205d
4 changed files with 43 additions and 30 deletions

View File

@ -62,6 +62,9 @@ first of these bugs was discovered by Karl Skomski with the LLVM fuzzer.
pcre2_compile() to run for a very long time. This bug was found by the LLVM pcre2_compile() to run for a very long time. This bug was found by the LLVM
fuzzer. fuzzer.
17. A missing closing parenthesis for a callout with a string argument was not
being diagnosed, possibly leading to a buffer overflow. This bug was found by
the LLVM fuzzer.
Version 10.20 30-June-2015 Version 10.20 30-June-2015

View File

@ -3277,17 +3277,12 @@ for (; ptr < cb->end_pattern; ptr++)
if (IS_DIGIT(ptr[1])) if (IS_DIGIT(ptr[1]))
{ {
while (IS_DIGIT(ptr[1])) ptr++; while (IS_DIGIT(ptr[1])) ptr++;
if (ptr[1] != CHAR_RIGHT_PARENTHESIS)
{
errorcode = ERR39;
ptr++;
goto FAILED;
}
break;
} }
/* Handle a string argument */ /* Handle a string argument */
else
{
ptr++; ptr++;
delimiter = 0; delimiter = 0;
for (i = 0; PRIV(callout_start_delims)[i] != 0; i++) for (i = 0; PRIV(callout_start_delims)[i] != 0; i++)
@ -3317,6 +3312,16 @@ for (; ptr < cb->end_pattern; ptr++)
if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2; if (ptr[0] == delimiter && ptr[1] == delimiter) ptr += 2;
} }
while (ptr[0] != delimiter); while (ptr[0] != delimiter);
}
/* Check terminating ) */
if (ptr[1] != CHAR_RIGHT_PARENTHESIS)
{
errorcode = ERR39;
ptr++;
goto FAILED;
}
break; break;
case CHAR_LEFT_PARENTHESIS: case CHAR_LEFT_PARENTHESIS:

2
testdata/testinput5 vendored
View File

@ -1651,4 +1651,6 @@
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/ /$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'"
# End of testinput5 # End of testinput5

View File

@ -4050,4 +4050,7 @@ Failed: error 122 at offset 1227: unmatched closing parenthesis
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/ /$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?'X'8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?'X'))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
"(*UTF)(*UCP)(.UTF).+X(\V+;\^(\D|)!999}(?(?C{7(?C')\H*\S*/^\x5\xa\\xd3\x85n?(;\D*(?m).[^mH+((*UCP)(*U:F)})(?!^)(?'"
Failed: error 139 at offset 113: closing parenthesis for (?C expected
# End of testinput5 # End of testinput5