Fix overrun for unterminated number after \g'

This commit is contained in:
Philip.Hazel 2016-11-04 11:05:21 +00:00
parent 10f4e45e68
commit e533e0f774
4 changed files with 17 additions and 6 deletions

View File

@ -48,7 +48,10 @@ parenthesis item, not the length of the whole group. A length of zero is now
given only for a callout at the end of the pattern. Automatic callouts are no
longer inserted before and after explicit callouts in the pattern.
Some bugs in the refactored code were subsequently fixed before release:
Some bugs in the refactored code were subsequently fixed before release.
Several of them were related to the change from assuming a zero-terminated
pattern (which previously had required non-zero terminated strings to be
copied).
(a) An overall recursion such as (?0) inside a lookbehind assertion was not
being diagnosed as an error.
@ -75,6 +78,8 @@ Some bugs in the refactored code were subsequently fixed before release:
(g) When reading a callout string, if the end delimiter was at the end of the
pattern one further code unit was read.
(h) An unterminated number after \g' could cause reading beyond the pattern.
4. Back references are now permitted in lookbehind assertions when there are
no duplicated group numbers (that is, (?| has not been used), and, if the
reference is by name, there is only one group of that name. The referenced

View File

@ -2577,7 +2577,7 @@ while (ptr < ptrend)
if (read_number(&p, ptrend, cb->bracount, MAX_GROUP_NUMBER, ERR61, &i,
&errorcode))
{
if (*p != terminator)
if (p >= ptrend || *p != terminator)
{
errorcode = ERR57;
goto FAILED;

6
testdata/testinput2 vendored
View File

@ -4900,8 +4900,10 @@ a)"xI
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
# /hex uses length, not zero-terminate
/{2,2{2,2/use_length
/'{2,2{2,2'/hex
/.>*?\g'0/use_length
/.>*?\g'0/
# End of testinput2

View File

@ -15345,9 +15345,13 @@ Failed: error 125 at offset 2: lookbehind assertion is not fixed length
/(?<!|!|!||||||(?<!)||(?<!)!|!||(?<!)!|!(?<!)!|!|!|!||||!!|<!)!|!||||!|/
# /hex uses length, not zero-terminate
/{2,2{2,2/use_length
/'{2,2{2,2'/hex
/.>*?\g'0/use_length
Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
/.>*?\g'0/
Failed: error 157 at offset 6: \g is not followed by a braced, angle-bracketed, or quoted name/number or by a plain number
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)