diff options
author | Serhiy Storchaka <storchaka@gmail.com> | 2015-07-06 10:58:33 (GMT) |
---|---|---|
committer | Serhiy Storchaka <storchaka@gmail.com> | 2015-07-06 10:58:33 (GMT) |
commit | 03d6ee382340dc1db57d7bbc269de0e102ed1a7a (patch) | |
tree | ea512d959a8e61b90e1a1a13ed49f37928bd703f /Modules/sre_lib.h | |
parent | 0357268d96d4ff3546cfd89f594a5630a3adf747 (diff) | |
download | cpython-03d6ee382340dc1db57d7bbc269de0e102ed1a7a.zip cpython-03d6ee382340dc1db57d7bbc269de0e102ed1a7a.tar.gz cpython-03d6ee382340dc1db57d7bbc269de0e102ed1a7a.tar.bz2 |
Issue #18684: Fixed reading out of the buffer in the re module.
Diffstat (limited to 'Modules/sre_lib.h')
-rw-r--r-- | Modules/sre_lib.h | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/Modules/sre_lib.h b/Modules/sre_lib.h index 5c6c5a5..1049de4 100644 --- a/Modules/sre_lib.h +++ b/Modules/sre_lib.h @@ -30,7 +30,7 @@ SRE(at)(SRE_STATE* state, SRE_CHAR* ptr, SRE_CODE at) SRE_IS_LINEBREAK((int) ptr[-1])); case SRE_AT_END: - return (((void*) (ptr+1) == state->end && + return (((SRE_CHAR *)state->end - ptr == 1 && SRE_IS_LINEBREAK((int) ptr[0])) || ((void*) ptr == state->end)); @@ -1093,9 +1093,9 @@ entrance: /* <ASSERT> <skip> <back> <pattern> */ TRACE(("|%p|%p|ASSERT %d\n", ctx->pattern, ctx->ptr, ctx->pattern[1])); - state->ptr = ctx->ptr - ctx->pattern[1]; - if (state->ptr < state->beginning) + if (ctx->ptr - (SRE_CHAR *)state->beginning < (Py_ssize_t)ctx->pattern[1]) RETURN_FAILURE; + state->ptr = ctx->ptr - ctx->pattern[1]; DO_JUMP0(JUMP_ASSERT, jump_assert, ctx->pattern+2); RETURN_ON_FAILURE(ret); ctx->pattern += ctx->pattern[0]; @@ -1106,8 +1106,8 @@ entrance: /* <ASSERT_NOT> <skip> <back> <pattern> */ TRACE(("|%p|%p|ASSERT_NOT %d\n", ctx->pattern, ctx->ptr, ctx->pattern[1])); - state->ptr = ctx->ptr - ctx->pattern[1]; - if (state->ptr >= state->beginning) { + if (ctx->ptr - (SRE_CHAR *)state->beginning >= (Py_ssize_t)ctx->pattern[1]) { + state->ptr = ctx->ptr - ctx->pattern[1]; DO_JUMP0(JUMP_ASSERT_NOT, jump_assert_not, ctx->pattern+2); if (ret) { RETURN_ON_ERROR(ret); @@ -1199,12 +1199,20 @@ SRE(search)(SRE_STATE* state, SRE_CODE* pattern) SRE_CODE* overlap = NULL; int flags = 0; + if (ptr > end) + return 0; + if (pattern[0] == SRE_OP_INFO) { /* optimization info block */ /* <INFO> <1=skip> <2=flags> <3=min> <4=max> <5=prefix info> */ flags = pattern[2]; + if (pattern[3] && end - ptr < (Py_ssize_t)pattern[3]) { + TRACE(("reject (got %u chars, need %u)\n", + (unsigned int)(end - ptr), pattern[3])); + return 0; + } if (pattern[3] > 1) { /* adjust end point (but make sure we leave at least one character in there, so literal search will work) */ @@ -1322,15 +1330,18 @@ SRE(search)(SRE_STATE* state, SRE_CODE* pattern) break; ptr++; } - } else + } else { /* general case */ - while (ptr <= end) { + assert(ptr <= end); + while (1) { TRACE(("|%p|%p|SEARCH\n", pattern, ptr)); - state->start = state->ptr = ptr++; + state->start = state->ptr = ptr; status = SRE(match)(state, pattern, 0); - if (status != 0) + if (status != 0 || ptr >= end) break; + ptr++; } + } return status; } |