A better fix for oss-fuzz 1465.

This commit is contained in:
Philip.Hazel 2017-05-11 16:28:54 +00:00
parent ab1e3c9309
commit cd4a219626
3 changed files with 11 additions and 6 deletions

View File

@ -793,7 +793,11 @@ typedef struct heapframe {
#endif #endif
/* The rest have to be copied from the previous frame whenever a new frame /* The rest have to be copied from the previous frame whenever a new frame
becomes current. */ becomes current. The final field is specified as a large vector so that
runtime array bound checks don't catch references to it. However, for any
specific call to pcre2_match() the memory allocated for each frame structure
allows for exactly the right size ovector for the number of capturing
parentheses. */
PCRE2_SPTR eptr; /* MUST BE FIRST */ PCRE2_SPTR eptr; /* MUST BE FIRST */
PCRE2_SPTR start_match; /* Can be adjusted by \K */ PCRE2_SPTR start_match; /* Can be adjusted by \K */
@ -802,7 +806,7 @@ typedef struct heapframe {
uint32_t capture_last; /* Most recent capture */ uint32_t capture_last; /* Most recent capture */
PCRE2_SIZE last_group_offset; /* Saved offset to most recent group frame */ PCRE2_SIZE last_group_offset; /* Saved offset to most recent group frame */
PCRE2_SIZE offset_top; /* Offset after highest capture */ PCRE2_SIZE offset_top; /* Offset after highest capture */
PCRE2_SIZE ovector[2]; /* Must be last in the structure */ PCRE2_SIZE ovector[10000]; /* Must be last in the structure */
} heapframe; } heapframe;
typedef char check_heapframe_size[ typedef char check_heapframe_size[

View File

@ -189,7 +189,7 @@ end of the backtrack frame, but when there are capturing parentheses the space
allocated is bigger so we want to be able to address more elements. Without the allocated is bigger so we want to be able to address more elements. Without the
case, -fsanitize=undefined grumbles at this. */ case, -fsanitize=undefined grumbles at this. */
#define Fovector ((PCRE2_SIZE *)(F->ovector)) #define Fovector F->ovector
#ifdef DEBUG_FRAMES_DISPLAY #ifdef DEBUG_FRAMES_DISPLAY
@ -6281,7 +6281,8 @@ The last of these is changed within the match() function if the frame vector
has to be expanded. We therefore put it into the match block so that it is has to be expanded. We therefore put it into the match block so that it is
correct when calling match() more than once for non-anchored patterns. */ correct when calling match() more than once for non-anchored patterns. */
frame_size = sizeof(heapframe) + ((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE)); frame_size = offsetof(heapframe, ovector) +
re->top_bracket * 2 * sizeof(PCRE2_SIZE);
/* Limits set in the pattern override the match context only if they are /* Limits set in the pattern override the match context only if they are
smaller. */ smaller. */

View File

@ -160,8 +160,8 @@ switch(what)
break; break;
case PCRE2_INFO_FRAMESIZE: case PCRE2_INFO_FRAMESIZE:
*((size_t *)where) = sizeof(heapframe) + *((size_t *)where) = offsetof(heapframe, ovector) +
((re->top_bracket - 1) * 2 * sizeof(PCRE2_SIZE)); re->top_bracket * 2 * sizeof(PCRE2_SIZE);
break; break;
case PCRE2_INFO_HASBACKSLASHC: case PCRE2_INFO_HASBACKSLASHC: