From e533e0f77447338f407723d46e138df76cb9830a Mon Sep 17 00:00:00 2001 From: "Philip.Hazel" Date: Fri, 4 Nov 2016 11:05:21 +0000 Subject: [PATCH] Fix overrun for unterminated number after \g' --- ChangeLog | 7 ++++++- src/pcre2_compile.c | 2 +- testdata/testinput2 | 6 ++++-- testdata/testoutput2 | 8 ++++++-- 4 files changed, 17 insertions(+), 6 deletions(-) diff --git a/ChangeLog b/ChangeLog index 0ea3438..19e0230 100644 --- a/ChangeLog +++ b/ChangeLog @@ -48,7 +48,10 @@ parenthesis item, not the length of the whole group. A length of zero is now given only for a callout at the end of the pattern. Automatic callouts are no longer inserted before and after explicit callouts in the pattern. -Some bugs in the refactored code were subsequently fixed before release: +Some bugs in the refactored code were subsequently fixed before release. +Several of them were related to the change from assuming a zero-terminated +pattern (which previously had required non-zero terminated strings to be +copied). (a) An overall recursion such as (?0) inside a lookbehind assertion was not being diagnosed as an error. @@ -74,6 +77,8 @@ Some bugs in the refactored code were subsequently fixed before release: (g) When reading a callout string, if the end delimiter was at the end of the pattern one further code unit was read. + + (h) An unterminated number after \g' could cause reading beyond the pattern. 4. Back references are now permitted in lookbehind assertions when there are no duplicated group numbers (that is, (?| has not been used), and, if the diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c index a05946b..850ba7b 100644 --- a/src/pcre2_compile.c +++ b/src/pcre2_compile.c @@ -2577,7 +2577,7 @@ while (ptr < ptrend) if (read_number(&p, ptrend, cb->bracount, MAX_GROUP_NUMBER, ERR61, &i, &errorcode)) { - if (*p != terminator) + if (p >= ptrend || *p != terminator) { errorcode = ERR57; goto FAILED; diff --git a/testdata/testinput2 b/testdata/testinput2 index 92b0f32..a25dc00 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4900,8 +4900,10 @@ a)"xI /(?*?\g'0/use_length + +/.>*?\g'0/ # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index c9fafd7..b95f95a 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -15345,9 +15345,13 @@ Failed: error 125 at offset 2: lookbehind assertion is not fixed length /(?*?\g'0/use_length +Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number + +/.>*?\g'0/ +Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number # End of testinput2 Error -63: PCRE2_ERROR_BADDATA (unknown error number)