walkero
/
pcre2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix comment between recursion and quantifier bug.

This commit is contained in:
Philip.Hazel 2015-03-29 11:15:32 +00:00
parent 6b6e611b39
commit 99bb61e903
8 changed files with 89 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@ -41,6 +41,10 @@ the LLVM fuzzer.
other kinds of group caused stack overflow at compile time. This bug was other kinds of group caused stack overflow at compile time. This bug was
discovered by the LLVM fuzzer. discovered by the LLVM fuzzer.
11. A pattern such as /(?1)(?#?'){8}(a)/ which had a parenthesized comment
between a subroutine call and its quantifier was incorrectly compiled, leading
to buffer overflow or other errors. This bug was discovered by the LLVM fuzzer.
Version 10.10 06-March-2015 Version 10.10 06-March-2015
--------------------------- ---------------------------

48
src/pcre2_compile.c
View File

@ -5025,15 +5025,25 @@ for (;; ptr++)
an offset rather than an absolute address. */ an offset rather than an absolute address. */
case CHAR_LEFT_PARENTHESIS: case CHAR_LEFT_PARENTHESIS:
newoptions = options;
skipbytes = 0;
bravalue = OP_CBRA;
save_hwm_offset = cb->hwm - cb->start_workspace;
reset_bracount = FALSE;
/* First deal with various "verbs" that can be introduced by '*'. */
ptr++; ptr++;
/* First deal with comments. Putting this code right at the start ensures
that comments have no bad side effects. */
if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN)
{
ptr += 2;
while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
if (*ptr != CHAR_RIGHT_PARENTHESIS)
{
*errorcodeptr = ERR18;
goto FAILED;
}
continue;
}
/* Now deal with various "verbs" that can be introduced by '*'. */
if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':' if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
|| (MAX_255(ptr[1]) && ((cb->ctypes[ptr[1]] & ctype_letter) != 0)))) || (MAX_255(ptr[1]) && ((cb->ctypes[ptr[1]] & ctype_letter) != 0))))
{ {
@ -5153,11 +5163,19 @@ for (;; ptr++)
*errorcodeptr = ERR60; /* Verb not recognized */ *errorcodeptr = ERR60; /* Verb not recognized */
goto FAILED; goto FAILED;
} }
/* Initialization for "real" parentheses */
newoptions = options;
skipbytes = 0;
bravalue = OP_CBRA;
save_hwm_offset = cb->hwm - cb->start_workspace;
reset_bracount = FALSE;
/* Deal with the extended parentheses; all are introduced by '?', and the /* Deal with the extended parentheses; all are introduced by '?', and the
appearance of any of them means that this is not a capturing group. */ appearance of any of them means that this is not a capturing group. */
else if (*ptr == CHAR_QUESTION_MARK) if (*ptr == CHAR_QUESTION_MARK)
{ {
int i, set, unset, namelen; int i, set, unset, namelen;
int *optset; int *optset;
@ -5166,17 +5184,6 @@ for (;; ptr++)
switch (*(++ptr)) switch (*(++ptr))
{ {
case CHAR_NUMBER_SIGN: /* Comment; skip to ket */
ptr++;
while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
if (*ptr != CHAR_RIGHT_PARENTHESIS)
{
*errorcodeptr = ERR18;
goto FAILED;
}
continue;
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */
reset_bracount = TRUE; reset_bracount = TRUE;
@ -5188,7 +5195,6 @@ for (;; ptr++)
ptr++; ptr++;
break; break;
/* ------------------------------------------------------------ */ /* ------------------------------------------------------------ */
case CHAR_LEFT_PARENTHESIS: case CHAR_LEFT_PARENTHESIS:
bravalue = OP_COND; /* Conditional group */ bravalue = OP_COND; /* Conditional group */

3
testdata/testinput1 vendored
View File

@ -5712,4 +5712,7 @@ name)/mark
"Z*(|d*){216}" "Z*(|d*){216}"
"(?1)(?#?'){8}(a)"
baaaaaaaaac
# End of testinput1 # End of testinput1

2
testdata/testinput8 vendored
View File

@ -140,4 +140,6 @@
/((?+1)(\1))/ /((?+1)(\1))/
"(?1)(?#?'){2}(a)"
# End of testinput8 # End of testinput8

5
testdata/testoutput1 vendored
View File

@ -9422,4 +9422,9 @@ No match
"Z*(|d*){216}" "Z*(|d*){216}"
"(?1)(?#?'){8}(a)"
baaaaaaaaac
0: aaaaaaaaa
1: a
# End of testinput1 # End of testinput1

16
testdata/testoutput8-16 vendored
View File

@ -754,4 +754,20 @@ Memory allocation (code space): 14
22 End 22 End
------------------------------------------------------------------ ------------------------------------------------------------------
"(?1)(?#?'){2}(a)"
------------------------------------------------------------------
0 21 Bra
2 4 Once
4 14 Recurse
6 4 Ket
8 4 Once
10 14 Recurse
12 4 Ket
14 5 CBra 1
17 a
19 5 Ket
21 21 Ket
23 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8

16
testdata/testoutput8-32 vendored
View File

@ -754,4 +754,20 @@ Memory allocation (code space): 28
22 End 22 End
------------------------------------------------------------------ ------------------------------------------------------------------
"(?1)(?#?'){2}(a)"
------------------------------------------------------------------
0 21 Bra
2 4 Once
4 14 Recurse
6 4 Ket
8 4 Once
10 14 Recurse
12 4 Ket
14 5 CBra 1
17 a
19 5 Ket
21 21 Ket
23 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8

16
testdata/testoutput8-8 vendored
View File

@ -754,4 +754,20 @@ Memory allocation (code space): 10
34 End 34 End
------------------------------------------------------------------ ------------------------------------------------------------------
"(?1)(?#?'){2}(a)"
------------------------------------------------------------------
0 31 Bra
3 6 Once
6 21 Recurse
9 6 Ket
12 6 Once
15 21 Recurse
18 6 Ket
21 7 CBra 1
26 a
28 7 Ket
31 31 Ket
34 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8