Fix comment between recursion and quantifier bug.

2015-03-29 11:15:32 +00:00 · 2015-03-29 11:15:32 +00:00 · 99bb61e903
parent 6b6e611b39
commit 99bb61e903
8 changed files with 89 additions and 21 deletions
--- a/4
+++ b/4
@ -41,6 +41,10 @@ the LLVM fuzzer.
 other kinds of group caused stack overflow at compile time. This bug was
 discovered by the LLVM fuzzer.

+11. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
+between a subroutine call and its quantifier was incorrectly compiled, leading
+to buffer overflow or other errors. This bug was discovered by the LLVM fuzzer.
+

 Version 10.10 06-March-2015
 ---------------------------
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@ -5025,15 +5025,25 @@ for (;; ptr++)
    an offset rather than an absolute address. */

    case CHAR_LEFT_PARENTHESIS:
-    newoptions = options;
-    skipbytes = 0;
-    bravalue = OP_CBRA;
-    save_hwm_offset = cb->hwm - cb->start_workspace;
-    reset_bracount = FALSE;
-
-    /* First deal with various "verbs" that can be introduced by '*'. */
-
    ptr++;
+
+    /* First deal with comments. Putting this code right at the start ensures
+    that comments have no bad side effects. */
+    
+    if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN)
+      {   
+      ptr += 2;
+      while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
+      if (*ptr != CHAR_RIGHT_PARENTHESIS)
+        {
+        *errorcodeptr = ERR18;
+        goto FAILED;
+        }
+      continue;
+      }
+
+    /* Now deal with various "verbs" that can be introduced by '*'. */
+
    if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
         || (MAX_255(ptr[1]) && ((cb->ctypes[ptr[1]] & ctype_letter) != 0))))
      {
@ -5153,11 +5163,19 @@ for (;; ptr++)
      *errorcodeptr = ERR60;          /* Verb not recognized */
      goto FAILED;
      }
+      
+    /* Initialization for "real" parentheses */
+
+    newoptions = options;
+    skipbytes = 0;
+    bravalue = OP_CBRA;
+    save_hwm_offset = cb->hwm - cb->start_workspace;
+    reset_bracount = FALSE;

    /* Deal with the extended parentheses; all are introduced by '?', and the
    appearance of any of them means that this is not a capturing group. */

-    else if (*ptr == CHAR_QUESTION_MARK)
+    if (*ptr == CHAR_QUESTION_MARK)
      {
      int i, set, unset, namelen;
      int *optset;
@ -5166,17 +5184,6 @@ for (;; ptr++)

      switch (*(++ptr))
        {
-        case CHAR_NUMBER_SIGN:                 /* Comment; skip to ket */
-        ptr++;
-        while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
-        if (*ptr != CHAR_RIGHT_PARENTHESIS)
-          {
-          *errorcodeptr = ERR18;
-          goto FAILED;
-          }
-        continue;
-
-
        /* ------------------------------------------------------------ */
        case CHAR_VERTICAL_LINE:  /* Reset capture count for each branch */
        reset_bracount = TRUE;
@ -5188,7 +5195,6 @@ for (;; ptr++)
        ptr++;
        break;

-
        /* ------------------------------------------------------------ */
        case CHAR_LEFT_PARENTHESIS:
        bravalue = OP_COND;       /* Conditional group */
--- a/testdata/testinput1
+++ b/testdata/testinput1
@ -5712,4 +5712,7 @@ name)/mark

 "Z*(|d*){216}"

+"(?1)(?#?'){8}(a)"
+    baaaaaaaaac
+
 # End of testinput1 
--- a/testdata/testinput8
+++ b/testdata/testinput8
@ -140,4 +140,6 @@

 /((?+1)(\1))/

+"(?1)(?#?'){2}(a)"
+
 # End of testinput8
--- a/testdata/testoutput1
+++ b/testdata/testoutput1
@ -9422,4 +9422,9 @@ No match

 "Z*(|d*){216}"

+"(?1)(?#?'){8}(a)"
+    baaaaaaaaac
+ 0: aaaaaaaaa
+ 1: a
+
 # End of testinput1 
--- a/testdata/testoutput8-16
+++ b/testdata/testoutput8-16
@ -754,4 +754,20 @@ Memory allocation (code space): 14
 22     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  21 Bra
+  2   4 Once
+  4  14 Recurse
+  6   4 Ket
+  8   4 Once
+ 10  14 Recurse
+ 12   4 Ket
+ 14   5 CBra 1
+ 17     a
+ 19   5 Ket
+ 21  21 Ket
+ 23     End
+------------------------------------------------------------------
+
 # End of testinput8
--- a/testdata/testoutput8-32
+++ b/testdata/testoutput8-32
@ -754,4 +754,20 @@ Memory allocation (code space): 28
 22     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  21 Bra
+  2   4 Once
+  4  14 Recurse
+  6   4 Ket
+  8   4 Once
+ 10  14 Recurse
+ 12   4 Ket
+ 14   5 CBra 1
+ 17     a
+ 19   5 Ket
+ 21  21 Ket
+ 23     End
+------------------------------------------------------------------
+
 # End of testinput8
--- a/testdata/testoutput8-8
+++ b/testdata/testoutput8-8
@ -754,4 +754,20 @@ Memory allocation (code space): 10
 34     End
 ------------------------------------------------------------------

+"(?1)(?#?'){2}(a)"
+------------------------------------------------------------------
+  0  31 Bra
+  3   6 Once
+  6  21 Recurse
+  9   6 Ket
+ 12   6 Once
+ 15  21 Recurse
+ 18   6 Ket
+ 21   7 CBra 1
+ 26     a
+ 28   7 Ket
+ 31  31 Ket
+ 34     End
+------------------------------------------------------------------
+
 # End of testinput8