diff --git a/ChangeLog b/ChangeLog index 078aca3..06f8259 100644 --- a/ChangeLog +++ b/ChangeLog @@ -108,6 +108,9 @@ character. 28. If pcre2grep was given the -q option with -c or -l, or when handling a binary file, it incorrectly wrote output to stdout. +29. The JIT compiler did not restore the control verb head in case of *THEN +control verbs. This issue was found by Karl Skomski with a custom LLVM fuzzer. + Version 10.20 30-June-2015 -------------------------- diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c index 9a1e4fd..49ddd94 100644 --- a/src/pcre2_jit_compile.c +++ b/src/pcre2_jit_compile.c @@ -1472,6 +1472,13 @@ while (cc < ccend) cc += 1 + LINK_SIZE + IMM2_SIZE; break; + case OP_THEN: + stack_restore = TRUE; + if (common->control_head_ptr != 0) + *needs_control_head = TRUE; + cc ++; + break; + default: stack_restore = TRUE; /* Fall through. */ diff --git a/testdata/testinput2 b/testdata/testinput2 index 6e32910..db46337 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4412,4 +4412,7 @@ a random value. /Ix /((?(R8000000000)))/ +/0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/ + 01 + # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 689a709..dcbc104 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14667,4 +14667,8 @@ Failed: error 161 at offset 13: number is too big /((?(R8000000000)))/ Failed: error 161 at offset 16: number is too big +/0(?0)|(1)(*THEN)(*SKIP:0)(*FAIL)/ + 01 +No match + # End of testinput2