walkero
/
pcre2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity

Fix compile error for forward reference subroutine call within a group that 

also contained a recursive back reference.
This commit is contained in:
Philip.Hazel 2015-03-01 18:34:05 +00:00
parent ea03932668
commit c372df5dce
8 changed files with 75 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog
View File

@ -105,6 +105,11 @@ referenced subpattern not found" when an incorrect memory address was read.
This bug was reported as "heap overflow", discovered by Kai Lu of Fortinet's This bug was reported as "heap overflow", discovered by Kai Lu of Fortinet's
FortiGuard Labs. FortiGuard Labs.
23. A pattern such as "((?+1)(\1))/" containing a forward reference subroutine
call within a group that also contained a recursive back reference caused
incorrect code to be compiled. This bug was reported as "heap overflow",
discovered by Kai Lu of Fortinet's FortiGuard Labs.
Version 10.00 05-January-2015 Version 10.00 05-January-2015
----------------------------- -----------------------------

5
src/pcre2_compile.c
View File

@ -6713,6 +6713,7 @@ int32_t firstcuflags, reqcuflags;
uint32_t branchfirstcu, branchreqcu; uint32_t branchfirstcu, branchreqcu;
int32_t branchfirstcuflags, branchreqcuflags; int32_t branchfirstcuflags, branchreqcuflags;
size_t length; size_t length;
size_t save_hwm_offset;
unsigned int orig_bracount; unsigned int orig_bracount;
unsigned int max_bracount; unsigned int max_bracount;
branch_chain bc; branch_chain bc;
@ -6734,6 +6735,8 @@ bc.current_branch = code;
firstcu = reqcu = 0; firstcu = reqcu = 0;
firstcuflags = reqcuflags = REQ_UNSET; firstcuflags = reqcuflags = REQ_UNSET;
save_hwm_offset = cb->hwm - cb->start_workspace; /* hwm at start of group */
/* Accumulate the length for use in the pre-compile phase. Start with the /* Accumulate the length for use in the pre-compile phase. Start with the
length of the BRA and KET and any extra code units that are required at the length of the BRA and KET and any extra code units that are required at the
beginning. We accumulate in a local variable to save frequent testing of beginning. We accumulate in a local variable to save frequent testing of
@ -6939,7 +6942,7 @@ for (;;)
{ {
*code = OP_END; *code = OP_END;
adjust_recurse(start_bracket, 1 + LINK_SIZE, adjust_recurse(start_bracket, 1 + LINK_SIZE,
(options & PCRE2_UTF) != 0, cb, cb->hwm - cb->start_workspace); (options & PCRE2_UTF) != 0, cb, save_hwm_offset);
memmove(start_bracket + 1 + LINK_SIZE, start_bracket, memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
CU2BYTES(code - start_bracket)); CU2BYTES(code - start_bracket));
*start_bracket = OP_ONCE; *start_bracket = OP_ONCE;

4
testdata/testinput2 vendored
View File

@ -4172,8 +4172,10 @@ a random value. /Ix
g g
g\=ovector=1 g\=ovector=1
# This pattern showed up a compile-time bug # These two pattern showeds up compile-time bugs
"((?2){0,1999}())?" "((?2){0,1999}())?"
/((?+1)(\1))/B
# End of testinput2 # End of testinput2

2
testdata/testinput8 vendored
View File

@ -138,4 +138,6 @@
/(((a\2)|(a*)\g<-1>))*a?/ /(((a\2)|(a*)\g<-1>))*a?/
/((?+1)(\1))/
# End of testinput8 # End of testinput8

17
testdata/testoutput2 vendored
View File

@ -13950,8 +13950,23 @@ Matched, but too many substrings
Matched, but too many substrings Matched, but too many substrings
0: g 0: g
# This pattern showed up a compile-time bug # These two pattern showeds up compile-time bugs
"((?2){0,1999}())?" "((?2){0,1999}())?"
/((?+1)(\1))/B
------------------------------------------------------------------
Bra
Once
CBra 1
Recurse
CBra 2
\1
Ket
Ket
Ket
Ket
End
------------------------------------------------------------------
# End of testinput2 # End of testinput2

15
testdata/testoutput8-16 vendored
View File

@ -739,4 +739,19 @@ Memory allocation (code space): 14
41 End 41 End
------------------------------------------------------------------ ------------------------------------------------------------------
/((?+1)(\1))/
------------------------------------------------------------------
0 20 Bra
2 16 Once
4 12 CBra 1
7 9 Recurse
9 5 CBra 2
12 \1
14 5 Ket
16 12 Ket
18 16 Ket
20 20 Ket
22 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8

15
testdata/testoutput8-32 vendored
View File

@ -739,4 +739,19 @@ Memory allocation (code space): 28
41 End 41 End
------------------------------------------------------------------ ------------------------------------------------------------------
/((?+1)(\1))/
------------------------------------------------------------------
0 20 Bra
2 16 Once
4 12 CBra 1
7 9 Recurse
9 5 CBra 2
12 \1
14 5 Ket
16 12 Ket
18 16 Ket
20 20 Ket
22 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8

15
testdata/testoutput8-8 vendored
View File

@ -739,4 +739,19 @@ Memory allocation (code space): 10
60 End 60 End
------------------------------------------------------------------ ------------------------------------------------------------------
/((?+1)(\1))/
------------------------------------------------------------------
0 31 Bra
3 25 Once
6 19 CBra 1
11 14 Recurse
14 8 CBra 2
19 \1
22 8 Ket
25 19 Ket
28 25 Ket
31 31 Ket
34 End
------------------------------------------------------------------
# End of testinput8 # End of testinput8