diff options
| author | Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> | 2015-04-12 10:56:13 +0200 |
|---|---|---|
| committer | Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> | 2015-04-12 18:18:41 +0000 |
| commit | a36adfc73ee0085313712dfe1c8c37454dd9380e (patch) | |
| tree | d149dfffa0d701a3387e4d27902f0768d22a53b0 /src/3rdparty/pcre/pcre_jit_compile.c | |
| parent | 68c137cc725ceadec68c455e0e3e365ecb00f2c1 (diff) | |
| download | qtbase-a36adfc73ee0085313712dfe1c8c37454dd9380e.tar.gz | |
Upgrade PCRE to r1546
Thanks to LLVM's libFuzzer a dozen of assorted buffer overflows has
been discovered, see [1, 2]
[1] http://vcs.pcre.org/viewvc/code/trunk/ChangeLog?view=markup
[2] http://blog.llvm.org/2015/04/fuzz-all-clangs.html
Change-Id: Ib9fd8dfaee8dc50e1899ebac83a74ac1107a0bd2
Reviewed-by: Konstantin Ritt <ritt.ks@gmail.com>
Diffstat (limited to 'src/3rdparty/pcre/pcre_jit_compile.c')
| -rw-r--r-- | src/3rdparty/pcre/pcre_jit_compile.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/3rdparty/pcre/pcre_jit_compile.c b/src/3rdparty/pcre/pcre_jit_compile.c index 795a5d2b47..0901c1bd53 100644 --- a/src/3rdparty/pcre/pcre_jit_compile.c +++ b/src/3rdparty/pcre/pcre_jit_compile.c @@ -2108,7 +2108,7 @@ sljit_uw *result; if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) return NULL; -result = (sljit_uw *)SLJIT_MALLOC(size + sizeof(sljit_uw), common->allocator_data); +result = (sljit_uw *)SLJIT_MALLOC(size + sizeof(sljit_uw), compiler->allocator_data); if (SLJIT_UNLIKELY(result == NULL)) { sljit_set_compiler_memory_error(compiler); @@ -6997,7 +6997,7 @@ cc += GET(cc, 1); has_alternatives = *cc == OP_ALT; if (SLJIT_UNLIKELY(opcode == OP_COND || opcode == OP_SCOND)) - has_alternatives = (*matchingpath == OP_RREF || *matchingpath == OP_DNRREF) ? FALSE : TRUE; + has_alternatives = (*matchingpath == OP_RREF || *matchingpath == OP_DNRREF || *matchingpath == OP_FAIL) ? FALSE : TRUE; if (SLJIT_UNLIKELY(opcode == OP_COND) && (*cc == OP_KETRMAX || *cc == OP_KETRMIN)) opcode = OP_SCOND; @@ -7255,12 +7255,14 @@ if (opcode == OP_COND || opcode == OP_SCOND) add_jump(compiler, &(BACKTRACK_AS(bracket_backtrack)->u.condfailed), JUMP(SLJIT_ZERO)); matchingpath += 1 + 2 * IMM2_SIZE; } - else if (*matchingpath == OP_RREF || *matchingpath == OP_DNRREF) + else if (*matchingpath == OP_RREF || *matchingpath == OP_DNRREF || *matchingpath == OP_FAIL) { /* Never has other case. */ BACKTRACK_AS(bracket_backtrack)->u.condfailed = NULL; SLJIT_ASSERT(!has_alternatives); + if (*matchingpath == OP_FAIL) + stacksize = 0; if (*matchingpath == OP_RREF) { stacksize = GET2(matchingpath, 1); |