fixup! fixup! pcre2_jit_compile: avoid potential wraparound if frames…

…ize <= 0 needs more testing, changes logic in at least one case
carenas · Oct 20, 2024 · e52b23c · e52b23c
1 parent 861d421
commit e52b23c
Showing 1 changed file with 23 additions and 9 deletions.
diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
@@ -11800,13 +11800,19 @@ if (bra == OP_BRAMINZERO)
     /* We need to release the end pointer to perform the
     backtrack for the zero-length iteration. When
     framesize is < 0, OP_ONCE will do the release itself. */
-    if (opcode == OP_ONCE && BACKTRACK_AS(bracket_backtrack)->u.framesize > 0)
+    if (opcode == OP_ONCE)
       {
-      OP1(SLJIT_MOV, STACK_TOP, 0, SLJIT_MEM1(SLJIT_SP), private_data_ptr);
-      add_jump(compiler, &common->revertframes, JUMP(SLJIT_FAST_CALL));
-      OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (BACKTRACK_AS(bracket_backtrack)->u.framesize - 1) * sizeof(sljit_sw));
+      int framesize = BACKTRACK_AS(bracket_backtrack)->u.framesize;
+
+      SLJIT_ASSERT(framesize != 0);
+      if (framesize > 0)
+        {
+        OP1(SLJIT_MOV, STACK_TOP, 0, SLJIT_MEM1(SLJIT_SP), private_data_ptr);
+        add_jump(compiler, &common->revertframes, JUMP(SLJIT_FAST_CALL));
+        OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (framesize - 1) * sizeof(sljit_sw));
+        }
       }
-    else if (ket == OP_KETRMIN && opcode != OP_ONCE)
+    else if (ket == OP_KETRMIN)
       free_stack(common, 1);
     }
   /* Continue to the normal backtrack. */
@@ -13652,11 +13658,14 @@ else if (SLJIT_UNLIKELY(opcode == OP_ASSERT_SCS))
 
 if (SLJIT_UNLIKELY(opcode == OP_ONCE))
   {
-  if (CURRENT_AS(bracket_backtrack)->u.framesize > 0)
+  int framesize = CURRENT_AS(bracket_backtrack)->u.framesize;
+
+  SLJIT_ASSERT(framesize != 0);
+  if (framesize > 0)
     {
     OP1(SLJIT_MOV, STACK_TOP, 0, SLJIT_MEM1(SLJIT_SP), private_data_ptr);
     add_jump(compiler, &common->revertframes, JUMP(SLJIT_FAST_CALL));
-    OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (CURRENT_AS(bracket_backtrack)->u.framesize - 1) * sizeof(sljit_sw));
+    OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (framesize - 1) * sizeof(sljit_sw));
     }
   once = JUMP(SLJIT_JUMP);
   }
@@ -14195,6 +14204,7 @@ static SLJIT_INLINE void compile_then_trap_backtrackingpath(compiler_common *com
 {
 DEFINE_COMPILER;
 struct sljit_jump *jump;
+int framesize;
 int size;
 
 if (CURRENT_AS(then_trap_backtrack)->then_trap)
@@ -14211,11 +14221,15 @@ free_stack(common, size);
 jump = JUMP(SLJIT_JUMP);
 
 set_jumps(CURRENT_AS(then_trap_backtrack)->quit, LABEL());
+
+framesize = CURRENT_AS(then_trap_backtrack)->framesize;
+SLJIT_ASSERT(framesize != 0);
+
 /* STACK_TOP is set by THEN. */
-if (CURRENT_AS(then_trap_backtrack)->framesize > 0)
+if (framesize > 0)
   {
   add_jump(compiler, &common->revertframes, JUMP(SLJIT_FAST_CALL));
-  OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (CURRENT_AS(then_trap_backtrack)->framesize - 1) * sizeof(sljit_sw));
+  OP2(SLJIT_ADD, STACK_TOP, 0, STACK_TOP, 0, SLJIT_IMM, (framesize - 1) * sizeof(sljit_sw));
   }
 OP1(SLJIT_MOV, TMP1, 0, SLJIT_MEM1(STACK_TOP), STACK(0));
 free_stack(common, 3);