Fix forward reference by name to duplicate group number bug.

This commit is contained in:
Philip.Hazel 2015-05-16 11:01:48 +00:00
parent 56444e9978
commit 6f94ece67d
4 changed files with 20 additions and 0 deletions

View File

@ -119,6 +119,10 @@ bug was discovered by the LLVM fuzzer.
another group caused a buffer overflow. For example: /(?J)(?'d'(?'d'\g{d}))/. another group caused a buffer overflow. For example: /(?J)(?'d'(?'d'\g{d}))/.
This bug was discovered by the LLVM fuzzer. This bug was discovered by the LLVM fuzzer.
30. A forward reference by name to a group whose number is the same as the
current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused a
buffer overflow at compile time. This bug was discovered by the LLVM fuzzer.
Version 10.10 06-March-2015 Version 10.10 06-March-2015
--------------------------- ---------------------------

View File

@ -5984,6 +5984,14 @@ for (;; ptr++)
not be set at the point of reference. */ not be set at the point of reference. */
*lengthptr += IMM2_SIZE; *lengthptr += IMM2_SIZE;
/* If this is a forward reference and we are within a (?|...) group,
the reference may end up as the number of a group which we are
currently inside, that is, it could be a recursive reference. In the
real compile this will be picked up and the reference wrapped with
OP_ONCE to make it atomic, so we must space in case this occurs. */
if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
} }
/* In the real compile, search the name table. We check the name /* In the real compile, search the name table. We check the name

3
testdata/testinput1 vendored
View File

@ -5724,4 +5724,7 @@ name)/mark
/(?1)()((((((\1++))\x85)+)|))/ /(?1)()((((((\1++))\x85)+)|))/
\x85\x85 \x85\x85
"(?|(\k'Pm')|(?'Pm'))"
abcd
# End of testinput1 # End of testinput1

View File

@ -9458,4 +9458,9 @@ No match
6: 6:
7: 7:
"(?|(\k'Pm')|(?'Pm'))"
abcd
0:
1:
# End of testinput1 # End of testinput1