From a7c9027ae638f2af635f1bcc15fb8495a305abf7 Mon Sep 17 00:00:00 2001
From: "Philip.Hazel" <Philip.Hazel@gmail.com>
Date: Thu, 3 Dec 2015 18:36:36 +0000
Subject: [PATCH] Fix \) in (*verb) "name" bug.

---
 ChangeLog            |  4 ++++
 src/pcre2_compile.c  | 24 ++++++++++++++++++++++--
 testdata/testinput2  |  2 ++
 testdata/testoutput2 |  3 +++
 4 files changed, 31 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 76183f5..6ecc00e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -376,6 +376,10 @@ of a pattern is no longer transferred to the options that are returned by
 PCRE2_INFO_ALLOPTIONS. In fact, this was an anachronism that should have 
 changed when the effects of those options were all moved to compile time.
 
+109. An escaped closing parenthesis in the "name" part of a (*verb) when 
+PCRE2_ALT_VERBNAMES was set caused pcre2_compile() to malfunction. This bug
+was found by the LLVM fuzzer.
+
 
 Version 10.20 30-June-2015
 --------------------------
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
index b959c38..3a76401 100644
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@@ -2978,6 +2978,7 @@ Arguments:
   ptrptr        pointer to the input pointer
   codeptr       pointer to the compiled code pointer
   errorcodeptr  pointer to the error code
+  options       the options bits
   utf           TRUE if processing UTF
   cb            compile data block
 
@@ -3375,10 +3376,29 @@ for (; ptr < cb->end_pattern; ptr++)
         {
         if ((options & PCRE2_NO_AUTO_CAPTURE) == 0) cb->bracount++;
         }
-      else  /* (*something) - just skip to closing ket */
+
+      /* (*something) - just skip to closing ket unless PCRE2_ALT_VERBNAMES is
+      set, in which case we have to process escapes in the string after the
+      name. */
+
+      else
         {
         ptr += 2;
-        while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
+        while (MAX_255(*ptr) && (cb->ctypes[*ptr] & ctype_word) != 0) ptr++;
+        if (*ptr == CHAR_COLON)
+          {
+          ptr++;
+          if ((options & PCRE2_ALT_VERBNAMES) != 0)
+            {
+            if (process_verb_name(&ptr, NULL, &errorcode, options, utf, cb) < 0)
+              goto FAILED;
+            }
+          else
+            {
+            while (ptr < cb->end_pattern && *ptr != CHAR_RIGHT_PARENTHESIS)
+              ptr++;
+            }
+          }
         nest_depth--;
         }
       }
diff --git a/testdata/testinput2 b/testdata/testinput2
index 42a859d..519a779 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4735,4 +4735,6 @@ a)"xI
 /#comment
 (?-x):?/extended
 
+/(8(*:6^\x09x\xa6l\)6!|\xd0:[^:|)\x09d\Z\d{85*m(?'(?<1!)*\W[*\xff]!!h\w]*\xbe;/alt_bsux,alt_verbnames,allow_empty_class,dollar_endonly,extended,multiline,never_utf,no_dotstar_anchor,no_start_optimize
+
 # End of testinput2 
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 55ebd5d..0c03433 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -15054,4 +15054,7 @@ Subject length lower bound = 0
 /#comment
 (?-x):?/extended
 
+/(8(*:6^\x09x\xa6l\)6!|\xd0:[^:|)\x09d\Z\d{85*m(?'(?<1!)*\W[*\xff]!!h\w]*\xbe;/alt_bsux,alt_verbnames,allow_empty_class,dollar_endonly,extended,multiline,never_utf,no_dotstar_anchor,no_start_optimize
+Failed: error 124 at offset 49: letter or underscore expected after (?< or (?'
+
 # End of testinput2