Fix overlong (*MARK) or (*THEN) names bug.

2015-10-28 09:25:31 +00:00 · 2015-10-28 09:25:31 +00:00 · 9577d9e165
parent c82273cc74
commit 9577d9e165
7 changed files with 39 additions and 12 deletions
--- a/3
+++ b/3
@ -217,6 +217,9 @@ message if there were only single-character modifiers. It should be ignored.
 or segmentation errors for some patterns. Found with libFuzzer and
 AddressSanitizer.

+63. Very long names in (*MARK) or (*THEN) items could provoke a buffer 
+overflow.
+

 Version 10.20 30-June-2015
 --------------------------
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@ -5645,7 +5645,7 @@ for (;; ptr++)

          /* Handle other cases with/without an argument */

-          else if (arglen == 0)
+          else if (arglen == 0)    /* There is no argument */
            {
            if (verbs[i].op < 0)   /* Argument is mandatory */
              {
@ -5655,26 +5655,40 @@ for (;; ptr++)
            setverb = *code++ = verbs[i].op;
            }

-          else
+          else                        /* An argument is present */
            {
-            if (verbs[i].op_arg < 0)   /* Argument is forbidden */
+            if (verbs[i].op_arg < 0)  /* Argument is forbidden */
              {
              *errorcodeptr = ERR59;
              goto FAILED;
              }
            setverb = *code++ = verbs[i].op_arg;
-            *code++ = arglen;
-            if ((options & PCRE2_ALT_VERBNAMES) != 0)
+
+            /* Arguments can be very long, especially in 16- and 32-bit modes,
+            and can overflow the workspace in the first pass. Instead of
+            putting the argument into memory, we just update the length counter
+            and set up an empty argument. */
+
+            if (lengthptr != NULL)
              {
-              PCRE2_UCHAR *memcode = code;  /* code is "register" */
-              (void)process_verb_name(&arg, &memcode, errorcodeptr, options,
-                utf, cb);
-              code = memcode;
+              *lengthptr += arglen;
+              *code++ = 0;
              }
-            else   /* No argument processing */
+            else
              {
-              memcpy(code, arg, CU2BYTES(arglen));
-              code += arglen;
+              *code++ = arglen;
+              if ((options & PCRE2_ALT_VERBNAMES) != 0)
+                {
+                PCRE2_UCHAR *memcode = code;  /* code is "register" */
+                (void)process_verb_name(&arg, &memcode, errorcodeptr, options,
+                  utf, cb);
+                code = memcode;
+                }
+              else   /* No argument processing */
+                {
+                memcpy(code, arg, CU2BYTES(arglen));
+                code += arglen;
+                }
              }

            *code++ = 0;
--- a/testdata/testinput11
+++ b/testdata/testinput11
--- a/testdata/testinput9
+++ b/testdata/testinput9
@ -252,4 +252,6 @@

 /(*MARK:a\x{100}b)z/alt_verbnames 

+/(?'ABC'[bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar](*THEN:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/
+
 # End of testinput9
--- a/testdata/testoutput11-16
+++ b/testdata/testoutput11-16
--- a/testdata/testoutput11-32
+++ b/testdata/testoutput11-32
--- a/testdata/testoutput9
+++ b/testdata/testoutput9
@ -355,4 +355,6 @@ Failed: error 177 at offset 6: character code point value in \u.... sequence is
 /(*MARK:a\x{100}b)z/alt_verbnames 
 Failed: error 134 at offset 14: character code point value in \x{} or \o{} is too large

+/(?'ABC'[bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar](*THEN:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/
+
 # End of testinput9