walkero
/
pcre2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix overlong (*MARK) or (*THEN) names bug.

This commit is contained in:
Philip.Hazel 2015-10-28 09:25:31 +00:00
parent c82273cc74
commit 9577d9e165
7 changed files with 39 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@ -217,6 +217,9 @@ message if there were only single-character modifiers. It should be ignored.
or segmentation errors for some patterns. Found with libFuzzer and
AddressSanitizer.
63. Very long names in (*MARK) or (*THEN) items could provoke a buffer
overflow.
Version 10.20 30-June-2015
--------------------------

18
src/pcre2_compile.c
View File

@ -5645,7 +5645,7 @@ for (;; ptr++)
/* Handle other cases with/without an argument */
else if (arglen == 0)
else if (arglen == 0) /* There is no argument */
{
if (verbs[i].op < 0) /* Argument is mandatory */
{
@ -5655,7 +5655,7 @@ for (;; ptr++)
setverb = *code++ = verbs[i].op;
}
else
else /* An argument is present */
{
if (verbs[i].op_arg < 0) /* Argument is forbidden */
{
@ -5663,6 +5663,19 @@ for (;; ptr++)
goto FAILED;
}
setverb = *code++ = verbs[i].op_arg;
/* Arguments can be very long, especially in 16- and 32-bit modes,
and can overflow the workspace in the first pass. Instead of
putting the argument into memory, we just update the length counter
and set up an empty argument. */
if (lengthptr != NULL)
{
*lengthptr += arglen;
*code++ = 0;
}
else
{
*code++ = arglen;
if ((options & PCRE2_ALT_VERBNAMES) != 0)
{
@ -5676,6 +5689,7 @@ for (;; ptr++)
memcpy(code, arg, CU2BYTES(arglen));
code += arglen;
}
}
*code++ = 0;
}

2
testdata/testinput11 vendored
View File

File diff suppressed because one or more lines are too long

2
testdata/testinput9 vendored
View File

@ -252,4 +252,6 @@
/(*MARK:a\x{100}b)z/alt_verbnames
/(?'ABC'[bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar](*THEN:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/
# End of testinput9

2
testdata/testoutput11-16 vendored
View File

File diff suppressed because one or more lines are too long

2
testdata/testoutput11-32 vendored
View File

File diff suppressed because one or more lines are too long

2
testdata/testoutput9 vendored
View File

@ -355,4 +355,6 @@ Failed: error 177 at offset 6: character code point value in \u.... sequence is
/(*MARK:a\x{100}b)z/alt_verbnames
Failed: error 134 at offset 14: character code point value in \x{} or \o{} is too large
/(?'ABC'[bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar]([bar](*THEN:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))/
# End of testinput9