Fix repeated condition check by duplicated name bug.
This commit is contained in:
Philip.Hazel
parent
e653c5f142
commit
92739ef5d8
|
|
@ -111,6 +111,10 @@ incorrect code to be compiled when recursive forward references were involved.
|
|||
For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/. This bug was
|
||||
discovered by the LLVM fuzzer.
|
||||
|
||||
28. A repeated conditional group whose condition was a reference by name caused
|
||||
a buffer overflow if there was more than one group with the given name. This
|
||||
bug was discovered by the LLVM fuzzer.
|
||||
|
||||
|
||||
Version 10.10 06-March-2015
|
||||
---------------------------
|
||||
|
|
|
|||
|
|
@ -5425,7 +5425,8 @@ for (;; ptr++)
|
|||
the referenced name is one of a number of duplicates, a different
|
||||
opcode is used and it needs more memory. Unfortunately we cannot tell
|
||||
whether this is the case in the first pass, so we have to allow for
|
||||
more memory always. */
|
||||
more memory always. In the second pass, the additional to skipunits
|
||||
happens later. */
|
||||
|
||||
else
|
||||
{
|
||||
|
|
@ -5445,7 +5446,7 @@ for (;; ptr++)
|
|||
ptr++;
|
||||
}
|
||||
namelen = (int)(ptr - name);
|
||||
if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
|
||||
if (lengthptr != NULL) skipunits += IMM2_SIZE;
|
||||
}
|
||||
|
||||
/* Check the terminator */
|
||||
|
|
@ -8010,8 +8011,6 @@ if (cb.names_found > 0)
|
|||
error, errorcode will be set non-zero, so we don't need to look at the result
|
||||
of the function here. */
|
||||
|
||||
/* fprintf(stderr, "+++\n\nPASS TWO\n"); */
|
||||
|
||||
ptr = pattern + skipatstart;
|
||||
code = (PCRE2_UCHAR *)codestart;
|
||||
*code = OP_BRA;
|
||||
|
|
@ -8068,9 +8067,6 @@ if (cb.hwm > cb.start_workspace)
|
|||
cb.hwm -= LINK_SIZE;
|
||||
offset = GET(cb.hwm, 0);
|
||||
recno = GET(codestart, offset);
|
||||
|
||||
/* fprintf(stderr, "+++offset=%d recno=%d\n", offset, recno); */
|
||||
|
||||
if (recno != prev_recno)
|
||||
{
|
||||
groupptr = PRIV(find_bracket)(codestart, utf, recno);
|
||||
|
|
|
|||
|
|
@ -4298,4 +4298,12 @@ a random value. /Ix
|
|||
|
||||
/\V\x85\9*+((?2)\3++()2)*:2/
|
||||
|
||||
/(((?(R)){0,2}) (?''((?'R')((?'R')))))/dupnames
|
||||
|
||||
/(((?(X)){0,2}) (?''((?'X')((?'X')))))/dupnames
|
||||
|
||||
/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
|
||||
|
||||
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?''8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?''))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
|
||||
|
||||
# End of testinput2
|
||||
|
|
|
|||
|
|
@ -14397,4 +14397,12 @@ Failed: error 115 at offset 22: reference to non-existent subpattern
|
|||
/\V\x85\9*+((?2)\3++()2)*:2/
|
||||
Failed: error 115 at offset 26: reference to non-existent subpattern
|
||||
|
||||
/(((?(R)){0,2}) (?''((?'R')((?'R')))))/dupnames
|
||||
|
||||
/(((?(X)){0,2}) (?''((?'X')((?'X')))))/dupnames
|
||||
|
||||
/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
|
||||
|
||||
/$(&.+[\p{Me}].\s\xdcC*?(?(<y>))(?<!^)$C((;*?(R))+(?(R)){0,6}?|){12\x8a\X*?\x8a\x0b\xd1^9\3*+(\xc1,\k'P'\xb4)\xcc(z\z(?JJ)(?''8};(\x0b\xd1^9\?'3*+(\xc1.]k+\x0b'Pm'\xb4\xcc4'\xd1'(?''))?-%--\x95$9*\4'|\xd1(''%\x95*$9)#(?'R')3\x07?('P\xed')\\x16:;()\x1e\x10*:(?<y>)\xd1+!~:(?)''(d'E:yD!\s(?'R'\x1e;\x10:U))|')g!\xb0*){29+))#(?'P'})*?/
|
||||
|
||||
# End of testinput2
|
||||
|
|
|
|||
Loading…
Reference in New Issue