Fix subject buffer overread in JIT. Found by Yunho Kim.

2018-09-18 10:19:14 +00:00 · 2018-09-18 10:19:14 +00:00 · 80adf9d165
parent aa2687737d
commit 80adf9d165
3 changed files with 8 additions and 1 deletions
--- a/3
+++ b/3
@ -9,6 +9,9 @@ Version 10.33-RC1 15-September-2018
 ovector that shouldn't be changed, in particular after substitute and failed or 
 partial matches.

+2. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
+a greater than 1 fixed quantifier. This issue was found by Yunho Kim.
+

 Version 10.32 10-September-2018
 -------------------------------
--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
@ -11268,7 +11268,7 @@ if (exact > 1)
 #ifdef SUPPORT_UNICODE
      && !common->utf
 #endif
-      )
+      && type != OP_ANYNL && type != OP_EXTUNI)
    {
    OP2(SLJIT_ADD, TMP1, 0, STR_PTR, 0, SLJIT_IMM, IN_UCHARS(exact));
    add_jump(compiler, &backtrack->topbacktracks, CMP(SLJIT_GREATER, TMP1, 0, STR_END, 0));
--- a/src/pcre2_jit_test.c
+++ b/src/pcre2_jit_test.c
@ -1948,6 +1948,10 @@ static struct invalid_utf8_regression_test_case invalid_utf8_regression_test_cas
 	{ PCRE2_UTF, CI, 0, 0, 0, 4, 8, { "#\xc7\x85#", NULL }, "\x80\x80#\xc7#\xc7\x85#" },
 	{ PCRE2_UTF, CI, 0, 0, 0, 7, 11, { "#\xc7\x85#", NULL }, "\x80\x80#\xc7\x80\x80\x80#\xc7\x85#" },

+	/* These two are not invalid UTF tests, but this infrastructure fits better for them. */
+	{ 0, PCRE2_JIT_COMPLETE, 0, 0, 1, -1, -1, { "\\X{2}", NULL }, "\r\n\n" },
+	{ 0, PCRE2_JIT_COMPLETE, 0, 0, 1, -1, -1, { "\\R{2}", NULL }, "\r\n\n" },
+
 	{ 0, 0, 0, 0, 0, 0, 0, { NULL, NULL }, NULL }
 };