Ignore non-significant leading zeros when processing quantifiers in fuzz support

PhilipHazel · PhilipHazel · commit 4fa5b8bd2061 · 2024-07-12T14:46:42.000+01:00
diff --git a/ChangeLog b/ChangeLog
@@ -11,14 +11,19 @@ Version 10.45 xx-xxx-2024
 memory size was changed to the entire compiled data block, instead of just the
 pattern and tables data, so as to align with the new length restriction.
 Because the block's header contains pointers, this meant the pcre2test output
-was different in 32-bit mode. A patch by Carlo reverts to the preevious state
+was different in 32-bit mode. A patch by Carlo reverts to the previous state
 and makes sure that any limit set by pcre2_set_max_pattern_compiled_length()
 also avoids the internal struct overhead.
 
 2. Add --posix-pattern-file to pcre2grep to allow processing of empty patterns
-through the -f option, as well as patterns that end in space characters for
+through the -f option, as well as patterns that end in space characters, for
 compatibility with other grep tools.
 
+3. Fix a but in the fuzz support quantifier-limiting code. It ignores strings 
+of more than 5 digits because they are necessarily numbers greater than 65535,
+the largest legal quantifier. However, it wasn't ignoring non-significant
+leading zeros.
+
 
 Version 10.44 07-June-2024
 --------------------------
diff --git a/src/pcre2_fuzzsupport.c b/src/pcre2_fuzzsupport.c
@@ -328,24 +328,33 @@ if (size > 3)
       continue;
     i++;  /* Points to '{' */
 
-    /* Loop for two values a quantifier. Offset i points to brace or comma at the
-    start of the loop.*/
+    /* Loop for two values in a quantifier. Offset i points to brace or comma
+    at the start of the loop. */
 
     for (int ii = 0; ii < 2; ii++)
       {
       int q = 0;
 
       if (i >= size - 1) goto END_QSCAN;  /* Can happen for , */
 
-      /* Ignore leading spaces */
+      /* Ignore leading spaces. */
 
       while (wdata[i+1] == ' ' || wdata[i+1] == '\t')
         {
         i++;
         if (i >= size - 1) goto END_QSCAN;
         }
 
-      /* Scan for a number ending in brace or comma in the first iteration,
+      /* Ignore non-significant leading zeros. */
+
+      while (wdata[i+1] == '0' && i+2 < size && wdata[i+2] >= '0' &&
+             wdata[i+2] <= '9')
+        {
+        i++;
+        if (i >= size - 1) goto END_QSCAN;
+        }
+
+      /* Scan for a number ending in brace, or comma in the first iteration,
       optionally preceded by space. */
 
       for (j = i + 1; j < size && j < i + 7; j++)
@@ -358,6 +367,7 @@ if (size > 3)
           if (wdata[j] != '}' && wdata[j] != ',') goto OUTERLOOP;
           }
         if (wdata[j] == '}' || (ii == 0 && wdata[j] == ',')) break;
+
         if (wdata[j] < '0' || wdata[j] > '9')
           {
           j--;               /* Ensure this character is checked next. The */
@@ -368,8 +378,8 @@ if (size > 3)
 
       if (j >= size) goto END_QSCAN;  /* End of data */
 
-      /* Hit ',' or '}' or read 6 digits. Six digits is a number > 65536 which is
-      the maximum quantifier. Leave such numbers alone. */
+      /* Hit ',' or '}' or read 6 digits. Six digits is a number > 65536 which
+      is the maximum quantifier. Leave such numbers alone. */
 
       if (j >= i + 7 || q > 65535) goto OUTERLOOP;
 
