| From 943a5105b9fe2842851003f692c7077a6cdbeefe Mon Sep 17 00:00:00 2001 |
| From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
| Date: Wed, 10 Feb 2016 19:13:17 +0000 |
| Subject: [PATCH] Fix workspace overflow for (*ACCEPT) with deeply nested |
| parentheses. |
| |
| git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1631 2f5784b3-3f2a-0410-8824-cb99058d5e15 |
| --- |
| ChangeLog | 32 ++++++++++++++++++-------------- |
| pcre_compile.c | 23 +++++++++++++++++++---- |
| pcre_internal.h | 4 ++-- |
| pcreposix.c | 5 +++-- |
| testdata/testinput11 | 2 ++ |
| testdata/testoutput11-16 | 3 +++ |
| testdata/testoutput11-32 | 3 +++ |
| testdata/testoutput11-8 | 3 +++ |
| 8 files changed, 53 insertions(+), 22 deletions(-) |
| |
| 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply |
| nested set of parentheses of sufficient size caused an overflow of the |
| compiling workspace (which was diagnosed, but of course is not desirable). |
| |
| diff --git a/pcre_compile.c b/pcre_compile.c |
| index b9a239e..5019854 100644 |
| --- a/pcre_compile.c |
| +++ b/pcre_compile.c |
| @@ -6,7 +6,7 @@ |
| and semantics are as close as possible to those of the Perl 5 language. |
| |
| Written by Philip Hazel |
| - Copyright (c) 1997-2014 University of Cambridge |
| + Copyright (c) 1997-2016 University of Cambridge |
| |
| ----------------------------------------------------------------------------- |
| Redistribution and use in source and binary forms, with or without |
| @@ -560,6 +560,7 @@ static const char error_texts[] = |
| /* 85 */ |
| "parentheses are too deeply nested (stack check)\0" |
| "digits missing in \\x{} or \\o{}\0" |
| + "regular expression is too complicated\0" |
| ; |
| |
| /* Table to identify digits and hex digits. This is used when compiling |
| @@ -4591,7 +4592,8 @@ for (;; ptr++) |
| if (code > cd->start_workspace + cd->workspace_size - |
| WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */ |
| { |
| - *errorcodeptr = ERR52; |
| + *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)? |
| + ERR52 : ERR87; |
| goto FAILED; |
| } |
| |
| @@ -6626,8 +6628,21 @@ for (;; ptr++) |
| cd->had_accept = TRUE; |
| for (oc = cd->open_caps; oc != NULL; oc = oc->next) |
| { |
| - *code++ = OP_CLOSE; |
| - PUT2INC(code, 0, oc->number); |
| + if (lengthptr != NULL) |
| + { |
| +#ifdef COMPILE_PCRE8 |
| + *lengthptr += 1 + IMM2_SIZE; |
| +#elif defined COMPILE_PCRE16 |
| + *lengthptr += 2 + IMM2_SIZE; |
| +#elif defined COMPILE_PCRE32 |
| + *lengthptr += 4 + IMM2_SIZE; |
| +#endif |
| + } |
| + else |
| + { |
| + *code++ = OP_CLOSE; |
| + PUT2INC(code, 0, oc->number); |
| + } |
| } |
| setverb = *code++ = |
| (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT; |
| diff --git a/pcre_internal.h b/pcre_internal.h |
| index f7a5ee7..dbfe80e 100644 |
| --- a/pcre_internal.h |
| +++ b/pcre_internal.h |
| @@ -7,7 +7,7 @@ |
| and semantics are as close as possible to those of the Perl 5 language. |
| |
| Written by Philip Hazel |
| - Copyright (c) 1997-2014 University of Cambridge |
| + Copyright (c) 1997-2016 University of Cambridge |
| |
| ----------------------------------------------------------------------------- |
| Redistribution and use in source and binary forms, with or without |
| @@ -2289,7 +2289,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4, ERR5, ERR6, ERR7, ERR8, ERR9, |
| ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59, |
| ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, |
| ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79, |
| - ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT }; |
| + ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT }; |
| |
| /* JIT compiling modes. The function list is indexed by them. */ |
| |
| diff --git a/pcreposix.c b/pcreposix.c |
| index dcc13ef..55b6ddc 100644 |
| --- a/pcreposix.c |
| +++ b/pcreposix.c |
| @@ -6,7 +6,7 @@ |
| and semantics are as close as possible to those of the Perl 5 language. |
| |
| Written by Philip Hazel |
| - Copyright (c) 1997-2014 University of Cambridge |
| + Copyright (c) 1997-2016 University of Cambridge |
| |
| ----------------------------------------------------------------------------- |
| Redistribution and use in source and binary forms, with or without |
| @@ -173,7 +173,8 @@ static const int eint[] = { |
| REG_BADPAT, /* group name must start with a non-digit */ |
| /* 85 */ |
| REG_BADPAT, /* parentheses too deeply nested (stack check) */ |
| - REG_BADPAT /* missing digits in \x{} or \o{} */ |
| + REG_BADPAT, /* missing digits in \x{} or \o{} */ |
| + REG_BADPAT /* pattern too complicated */ |
| }; |
| |
| /* Table of texts corresponding to POSIX error codes */ |
| diff --git a/testdata/testinput11 b/testdata/testinput11 |
| index ac9d228..6f0989a 100644 |
| --- a/testdata/testinput11 |
| +++ b/testdata/testinput11 |
| @@ -138,4 +138,6 @@ is required for these tests. --/ |
| |
| /.((?2)(?R)\1)()/B |
| |
| +/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ |
| + |
| /-- End of testinput11 --/ |
| diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 |
| index 280692e..3c485da 100644 |
| --- a/testdata/testoutput11-16 |
| +++ b/testdata/testoutput11-16 |
| @@ -765,4 +765,7 @@ Memory allocation (code space): 14 |
| 25 End |
| ------------------------------------------------------------------ |
| |
| +/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ |
| +Failed: regular expression is too complicated at offset 490 |
| + |
| /-- End of testinput11 --/ |
| diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 |
| index cdbda74..e19518d 100644 |
| --- a/testdata/testoutput11-32 |
| +++ b/testdata/testoutput11-32 |
| @@ -765,4 +765,7 @@ Memory allocation (code space): 28 |
| 25 End |
| ------------------------------------------------------------------ |
| |
| +/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ |
| +Failed: missing ) at offset 509 |
| + |
| /-- End of testinput11 --/ |
| diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 |
| index cb37896..5a4fbb2 100644 |
| --- a/testdata/testoutput11-8 |
| +++ b/testdata/testoutput11-8 |
| @@ -765,4 +765,7 @@ Memory allocation (code space): 10 |
| 38 End |
| ------------------------------------------------------------------ |
| |
| +/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/ |
| +Failed: missing ) at offset 509 |
| + |
| /-- End of testinput11 --/ |
| -- |
| 2.7.4 |
| |