Apply limit of 65535 to the number of capturing pairs in a match data block (GitHub #176)

PhilipHazel · PhilipHazel · commit fb23bb17dd4b · 2022-12-12T15:39:07.000Z
diff --git a/ChangeLog b/ChangeLog
@@ -18,6 +18,10 @@ the allowed maximum, the error message displayed the hard limit incorrectly.
 This was pointed out on GitHub pull request #171, but the suggested patch 
 didn't cope with all cases. Some further modification was required.
 
+4. Supplying an ovector count of more than 65535 to pcre2_match_data_create() 
+caused a crash because the field in the match data block is only 16 bits. A 
+maximum of 65535 is now silently applied.
+
 
 Version 10.41 06-December-2022
 ------------------------------
diff --git a/doc/pcre2api.3 b/doc/pcre2api.3
@@ -2519,7 +2519,9 @@ large enough to hold as many as are expected.
 A minimum of at least 1 pair is imposed by \fBpcre2_match_data_create()\fP, so
 it is always possible to return the overall matched string in the case of
 \fBpcre2_match()\fP or the longest match in the case of
-\fBpcre2_dfa_match()\fP.
+\fBpcre2_dfa_match()\fP. The maximum number of pairs is 65535; if the the first
+argument of \fBpcre2_match_data_create()\fP is greater than this, 65535 is
+used.
 .P
 The second argument of \fBpcre2_match_data_create()\fP is a pointer to a
 general context, which can specify custom memory management for obtaining the
diff --git a/src/pcre2_match_data.c b/src/pcre2_match_data.c
@@ -51,13 +51,15 @@ POSSIBILITY OF SUCH DAMAGE.
 *  Create a match data block given ovector size  *
 *************************************************/
 
-/* A minimum of 1 is imposed on the number of ovector pairs. */
+/* A minimum of 1 is imposed on the number of ovector pairs. A maximum is also 
+imposed because the oveccount field in a match data block is uintt6_t. */
 
 PCRE2_EXP_DEFN pcre2_match_data * PCRE2_CALL_CONVENTION
 pcre2_match_data_create(uint32_t oveccount, pcre2_general_context *gcontext)
 {
 pcre2_match_data *yield;
 if (oveccount < 1) oveccount = 1;
+if (oveccount > UINT16_MAX) oveccount = UINT16_MAX;
 yield = PRIV(memctl_malloc)(
   offsetof(pcre2_match_data, ovector) + 2*oveccount*sizeof(PCRE2_SIZE),
   (pcre2_memctl *)gcontext);
diff --git a/testdata/testinput2 b/testdata/testinput2
@@ -5934,5 +5934,10 @@ a)"xI
 
 --
     \[X]{-10}
+    
+# Check imposition of maximum by match_data_create().
+
+/abcd/
+    abcd\=ovector=65536
 
 # End of testinput2
diff --git a/testdata/testoutput2 b/testdata/testoutput2
@@ -17749,6 +17749,12 @@ Subject length lower bound = 2
 --
     \[X]{-10}
 ** Zero or negative repeat not allowed
+    
+# Check imposition of maximum by match_data_create().
+
+/abcd/
+    abcd\=ovector=65536
+ 0: abcd
 
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
