Skip to content

Commit 80008f7

Browse files
committed
pcre2_match: avoid crash if subject NULL and PCRE2_ZERO_TERMINATED
While a reasonable thing to do under the circumstances, could be avoided by simply moving the strlen call after the NULL check as done in pcre2(_dfa)?match, or by using a length of 0 instead of calling strlen(NULL) when NULL string might be meaningful as done in pcre_substitute. While at it, fix a typo in a debug flag in one of the changed files and make sure the full section of constrain checks can be identified clearly using the leading comment alone by arbitrarily removing another one.
1 parent eb42305 commit 80008f7

File tree

3 files changed

+19
-19
lines changed

3 files changed

+19
-19
lines changed

src/pcre2_dfa_match.c

Lines changed: 5 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -3285,20 +3285,18 @@ rws->next = NULL;
32853285
rws->size = RWS_BASE_SIZE;
32863286
rws->free = RWS_BASE_SIZE - RWS_ANCHOR_SIZE;
32873287

3288-
/* A length equal to PCRE2_ZERO_TERMINATED implies a zero-terminated
3289-
subject string. */
3288+
/* Plausibility checks */
3289+
3290+
if ((options & ~PUBLIC_DFA_MATCH_OPTIONS) != 0) return PCRE2_ERROR_BADOPTION;
3291+
if (re == NULL || subject == NULL || workspace == NULL || match_data == NULL)
3292+
return PCRE2_ERROR_NULL;
32903293

32913294
if (length == PCRE2_ZERO_TERMINATED)
32923295
{
32933296
length = PRIV(strlen)(subject);
32943297
was_zero_terminated = 1;
32953298
}
32963299

3297-
/* Plausibility checks */
3298-
3299-
if ((options & ~PUBLIC_DFA_MATCH_OPTIONS) != 0) return PCRE2_ERROR_BADOPTION;
3300-
if (re == NULL || subject == NULL || workspace == NULL || match_data == NULL)
3301-
return PCRE2_ERROR_NULL;
33023300
if (wscount < 20) return PCRE2_ERROR_DFA_WSSIZE;
33033301
if (start_offset > length) return PCRE2_ERROR_BADOFFSET;
33043302

src/pcre2_match.c

Lines changed: 10 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ POSSIBILITY OF SUCH DAMAGE.
4949
/* #define DEBUG_SHOW_OPS */
5050
/* #define DEBUG_SHOW_RMATCH */
5151

52-
#ifdef DEBUG_FRAME_DISPLAY
52+
#ifdef DEBUG_FRAMES_DISPLAY
5353
#include <stdarg.h>
5454
#endif
5555

@@ -6129,8 +6129,8 @@ PCRE2_UCHAR req_cu2 = 0;
61296129
PCRE2_SPTR bumpalong_limit;
61306130
PCRE2_SPTR end_subject;
61316131
PCRE2_SPTR true_end_subject;
6132-
PCRE2_SPTR start_match = subject + start_offset;
6133-
PCRE2_SPTR req_cu_ptr = start_match - 1;
6132+
PCRE2_SPTR start_match;
6133+
PCRE2_SPTR req_cu_ptr;
61346134
PCRE2_SPTR start_partial;
61356135
PCRE2_SPTR match_partial;
61366136

@@ -6170,21 +6170,21 @@ PCRE2_SPTR stack_frames_vector[START_FRAMES_SIZE/sizeof(PCRE2_SPTR)]
61706170
PCRE2_KEEP_UNINITIALIZED;
61716171
mb->stack_frames = (heapframe *)stack_frames_vector;
61726172

6173-
/* A length equal to PCRE2_ZERO_TERMINATED implies a zero-terminated
6174-
subject string. */
6173+
/* Plausibility checks */
6174+
6175+
if ((options & ~PUBLIC_MATCH_OPTIONS) != 0) return PCRE2_ERROR_BADOPTION;
6176+
if (code == NULL || subject == NULL || match_data == NULL)
6177+
return PCRE2_ERROR_NULL;
61756178

6179+
start_match = subject + start_offset;
6180+
req_cu_ptr = start_match - 1;
61766181
if (length == PCRE2_ZERO_TERMINATED)
61776182
{
61786183
length = PRIV(strlen)(subject);
61796184
was_zero_terminated = 1;
61806185
}
61816186
true_end_subject = end_subject = subject + length;
61826187

6183-
/* Plausibility checks */
6184-
6185-
if ((options & ~PUBLIC_MATCH_OPTIONS) != 0) return PCRE2_ERROR_BADOPTION;
6186-
if (code == NULL || subject == NULL || match_data == NULL)
6187-
return PCRE2_ERROR_NULL;
61886188
if (start_offset > length) return PCRE2_ERROR_BADOFFSET;
61896189

61906190
/* Check that the first field in the block is the magic number. */

src/pcre2_substitute.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -314,8 +314,10 @@ scb.ovector = ovector;
314314

315315
/* Find lengths of zero-terminated strings and the end of the replacement. */
316316

317-
if (length == PCRE2_ZERO_TERMINATED) length = PRIV(strlen)(subject);
318-
if (rlength == PCRE2_ZERO_TERMINATED) rlength = PRIV(strlen)(replacement);
317+
if (length == PCRE2_ZERO_TERMINATED)
318+
length = subject? PRIV(strlen)(subject) : 0;
319+
if (rlength == PCRE2_ZERO_TERMINATED)
320+
rlength = replacement? PRIV(strlen)(replacement) : 0;
319321
repend = replacement + rlength;
320322

321323
/* Check UTF replacement string if necessary. */

0 commit comments

Comments
 (0)