Fix auto-callout (?# comment bug.

git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1611 2f5784b3-3f2a-0410-8824-cb99058d5e15

7 files changed, 95 insertions, 17 deletions

diff --git a/ChangeLog b/ChangeLog
index 5e5bf18..b6dfa5b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -4,6 +4,14 @@ ChangeLog for PCRE
 Note that the PCRE 8.xx series (PCRE1) is now in a bugfix-only state. All
 development is happening in the PCRE2 10.xx series.
 
+Version 8.39 xx-xxxxxx-201x
+---------------------------
+
+1.  If PCRE_AUTO_CALLOUT was set on a pattern that had a (?# comment between 
+    an item and its qualifier (for example, A(?#comment)?B) pcre_compile() 
+    misbehaved. This bug was found by the LLVM fuzzer.
+
+
 Version 8.38 23-November-2015
 -----------------------------
 
diff --git a/configure.ac b/configure.ac
index 9ebe598..7ca81fd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -9,8 +9,8 @@ dnl The PCRE_PRERELEASE feature is for identifying release candidates. It might
 dnl be defined as -RC2, for example. For real releases, it should be empty.
 
 m4_define(pcre_major, [8])
-m4_define(pcre_minor, [38])
-m4_define(pcre_prerelease, [])
+m4_define(pcre_minor, [39])
+m4_define(pcre_prerelease, [-RC1])
 m4_define(pcre_date, [2015-11-23])
 
 # NOTE: The CMakeLists.txt file searches for the above variables in the first
diff --git a/pcre_compile.c b/pcre_compile.c
index 4d3b313..3360a8b 100644
--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -4699,6 +4699,23 @@ for (;; ptr++)
       }
     }
 
+  /* Skip over (?# comments. We need to do this here because we want to know if
+  the next thing is a quantifier, and these comments may come between an item
+  and its quantifier. */
+
+  if (c == CHAR_LEFT_PARENTHESIS && ptr[1] == CHAR_QUESTION_MARK &&
+      ptr[2] == CHAR_NUMBER_SIGN)
+    {
+    ptr += 3;
+    while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
+    if (*ptr == CHAR_NULL)
+      {
+      *errorcodeptr = ERR18;
+      goto FAILED;
+      }
+    continue;
+    }
+
   /* See if the next thing is a quantifier. */
 
   is_quantifier =
@@ -6529,21 +6546,6 @@ for (;; ptr++)
     case CHAR_LEFT_PARENTHESIS:
     ptr++;
 
-    /* First deal with comments. Putting this code right at the start ensures
-    that comments have no bad side effects. */
-
-    if (ptr[0] == CHAR_QUESTION_MARK && ptr[1] == CHAR_NUMBER_SIGN)
-      {
-      ptr += 2;
-      while (*ptr != CHAR_NULL && *ptr != CHAR_RIGHT_PARENTHESIS) ptr++;
-      if (*ptr == CHAR_NULL)
-        {
-        *errorcodeptr = ERR18;
-        goto FAILED;
-        }
-      continue;
-      }
-
     /* Now deal with various "verbs" that can be introduced by '*'. */
 
     if (ptr[0] == CHAR_ASTERISK && (ptr[1] == ':'
diff --git a/testdata/testinput2 b/testdata/testinput2
index e2e520f..92e3359 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4217,4 +4217,12 @@ backtracking verbs. --/
 
 /a[[:punct:]b]/BZ
 
+/L(?#(|++<!(2)?/BZ
+
+/L(?#(|++<!(2)?/BOZ
+
+/L(?#(|++<!(2)?/BCZ
+
+/L(?#(|++<!(2)?/BCOZ
+
 /-- End of testinput2 --/
diff --git a/testdata/testinput7 b/testdata/testinput7
index e411a4b..00b9738 100644
--- a/testdata/testinput7
+++ b/testdata/testinput7
@@ -853,4 +853,8 @@ of case for anything other than the ASCII letters. --/
 
 /a[b[:punct:]]/8WBZ
 
+/L(?#(|++<!(2)?/B8COZ
+
+/L(?#(|++<!(2)?/B8WCZ
+
 /-- End of testinput7 --/
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 85c565d..2cf7a90 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14574,4 +14574,40 @@ No match
         End
 ------------------------------------------------------------------
 
+/L(?#(|++<!(2)?/BZ
+------------------------------------------------------------------
+        Bra
+        L?+
+        Ket
+        End
+------------------------------------------------------------------
+
+/L(?#(|++<!(2)?/BOZ
+------------------------------------------------------------------
+        Bra
+        L?
+        Ket
+        End
+------------------------------------------------------------------
+
+/L(?#(|++<!(2)?/BCZ
+------------------------------------------------------------------
+        Bra
+        Callout 255 0 14
+        L?+
+        Callout 255 14 0
+        Ket
+        End
+------------------------------------------------------------------
+
+/L(?#(|++<!(2)?/BCOZ
+------------------------------------------------------------------
+        Bra
+        Callout 255 0 14
+        L?
+        Callout 255 14 0
+        Ket
+        End
+------------------------------------------------------------------
+
 /-- End of testinput2 --/
diff --git a/testdata/testoutput7 b/testdata/testoutput7
index cc9ebdd..fdfff64 100644
--- a/testdata/testoutput7
+++ b/testdata/testoutput7
@@ -2348,4 +2348,24 @@ No match
         End
 ------------------------------------------------------------------
 
+/L(?#(|++<!(2)?/B8COZ
+------------------------------------------------------------------
+        Bra
+        Callout 255 0 14
+        L?
+        Callout 255 14 0
+        Ket
+        End
+------------------------------------------------------------------
+
+/L(?#(|++<!(2)?/B8WCZ
+------------------------------------------------------------------
+        Bra
+        Callout 255 0 14
+        L?+
+        Callout 255 14 0
+        Ket
+        End
+------------------------------------------------------------------
+
 /-- End of testinput7 --/