diff options
| author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-12-05 16:58:46 +0000 |
|---|---|---|
| committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2015-12-05 16:58:46 +0000 |
| commit | 40363ebc19baeab160abaaa55dc84322a89ac35a (patch) | |
| tree | ab7b019b45ec6cd4c42c5d390b44f349bb309f64 | |
| parent | db1fb68feddc9afe6f8822d099fa9ff25e3ea8e7 (diff) | |
| download | pcre-40363ebc19baeab160abaaa55dc84322a89ac35a.tar.gz | |
Fix (by hacking) another length computation issue.
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1619 2f5784b3-3f2a-0410-8824-cb99058d5e15
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | pcre_compile.c | 2 | ||||
| -rw-r--r-- | testdata/testoutput11-16 | 2 | ||||
| -rw-r--r-- | testdata/testoutput11-32 | 2 | ||||
| -rw-r--r-- | testdata/testoutput11-8 | 2 |
5 files changed, 10 insertions, 5 deletions
@@ -35,6 +35,11 @@ Version 8.39 xx-xxxxxx-201x 8. An call of pcre_copy_named_substring() for a named substring whose number was greater than the space in the ovector could cause a crash. + +9. Yet another buffer overflow bug involved duplicate named groups with a + group that reset capture numbers (compare 8.38/7 below). Once again, I have + just allowed for more memory, even if not needed. (A proper fix is + implemented in PCRE2, but it involves a lot of refactoring.) Version 8.38 23-November-2015 @@ -42,7 +47,7 @@ Version 8.38 23-November-2015 1. If a group that contained a recursive back reference also contained a forward reference subroutine call followed by a non-forward-reference - subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to + subroutine call, for example /.((?2)(?R)\1)()/, pcre_compile() failed to compile correct code, leading to undefined behaviour or an internally detected error. This bug was discovered by the LLVM fuzzer. diff --git a/pcre_compile.c b/pcre_compile.c index 57719b9..087bf2a 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -7280,7 +7280,7 @@ for (;; ptr++) issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance only mode, we finesse the bug by allowing more memory always. */ - *lengthptr += 2 + 2*LINK_SIZE; + *lengthptr += 4 + 4*LINK_SIZE; /* It is even worse than that. The current reference may be to an existing named group with a different number (so apparently not diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 index 9a0a12d..280692e 100644 --- a/testdata/testoutput11-16 +++ b/testdata/testoutput11-16 @@ -231,7 +231,7 @@ Memory allocation (code space): 73 ------------------------------------------------------------------ /(?P<a>a)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 77 +Memory allocation (code space): 93 ------------------------------------------------------------------ 0 24 Bra 2 5 CBra 1 diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 index 57e5da0..cdbda74 100644 --- a/testdata/testoutput11-32 +++ b/testdata/testoutput11-32 @@ -231,7 +231,7 @@ Memory allocation (code space): 155 ------------------------------------------------------------------ /(?P<a>a)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 157 +Memory allocation (code space): 189 ------------------------------------------------------------------ 0 24 Bra 2 5 CBra 1 diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 index 748548a..cb37896 100644 --- a/testdata/testoutput11-8 +++ b/testdata/testoutput11-8 @@ -231,7 +231,7 @@ Memory allocation (code space): 45 ------------------------------------------------------------------ /(?P<a>a)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 50 +Memory allocation (code space): 62 ------------------------------------------------------------------ 0 30 Bra 3 7 CBra 1 |