From aae67c0e3a4d8f1d62700ec4788929b1e2267149 Mon Sep 17 00:00:00 2001 From: ph10 Date: Sat, 16 May 2015 11:05:40 +0000 Subject: [PATCH 2/3] Fix named forward reference to duplicate group number overflow bug. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Port to 8.32: commit 2fa78aa4e42bcebf2d616c4ee89c012f29dc3447 Author: ph10 Date: Sat May 16 11:05:40 2015 +0000 Fix named forward reference to duplicate group number overflow bug. git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1559 2f5784b3-3f2a-0410-8824-cb99058d5e15 Signed-off-by: Petr Písař --- pcre_compile.c | 8 ++++++++ testdata/testinput1 | 3 +++ testdata/testoutput1 | 5 +++++ 3 files changed, 16 insertions(+) diff --git a/pcre_compile.c b/pcre_compile.c index 4506e56..6777542 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -6300,6 +6300,14 @@ for (;; ptr++) 16-bit data item. */ *lengthptr += IMM2_SIZE; + + /* If this is a forward reference and we are within a (?|...) group, + the reference may end up as the number of a group which we are + currently inside, that is, it could be a recursive reference. In the + real compile this will be picked up and the reference wrapped with + OP_ONCE to make it atomic, so we must space in case this occurs. */ + + if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; } /* In the real compile, seek the name in the table. We check the name diff --git a/testdata/testinput1 b/testdata/testinput1 index c45e1ba..9f513f6 100644 --- a/testdata/testinput1 +++ b/testdata/testinput1 @@ -5327,4 +5327,7 @@ name were given. ---/ /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi)abc)|((*ACCEPT)))/ 1234abcd +"(?|(\k'Pm')|(?'Pm'))" + abcd + /-- End of testinput1 --/ diff --git a/testdata/testoutput1 b/testdata/testoutput1 index f0eae49..0fbff41 100644 --- a/testdata/testoutput1 +++ b/testdata/testoutput1 @@ -8834,4 +8834,9 @@ No match 4: 5: +"(?|(\k'Pm')|(?'Pm'))" + abcd + 0: + 1: + /-- End of testinput1 --/ -- 2.5.5