X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=blobdiff_plain;f=pcrs.c;h=0b746a1df255297a69cd8d101d120332d20d6c52;hp=156ae9882d1a64b4c72036849ee4bcd8a4926158;hb=2563f75c78b46877ac0679fceb23ff4b714ad49a;hpb=f157fb3e5e3041012a88b37d07f0cb3817c75fda

diff --git a/pcrs.c b/pcrs.c
index 156ae988..0b746a1d 100644
--- a/pcrs.c
+++ b/pcrs.c
@@ -1,4 +1,3 @@
-const char pcrs_rcs[] = "$Id: pcrs.c,v 1.47 2015/01/24 16:40:59 fabiankeil Exp $";
 /*********************************************************************
  *
  * File        :  $Source: /cvsroot/ijbswa/current/pcrs.c,v $
@@ -55,8 +54,6 @@ const char pcrs_rcs[] = "$Id: pcrs.c,v 1.47 2015/01/24 16:40:59 fabiankeil Exp $
 
 #include "pcrs.h"
 
-const char pcrs_h_rcs[] = PCRS_H_VERSION;
-
 /*
  * Internal prototypes
  */
@@ -182,6 +179,38 @@ static int pcrs_parse_perl_options(const char *optstring, int *flags)
 }
 
 
+#ifdef FUZZ
+/*********************************************************************
+ *
+ * Function    :  pcrs_compile_fuzzed_replacement
+ *
+ * Description :  Wrapper around pcrs_compile_replacement() for
+ *                fuzzing purposes.
+ *
+ * Parameters  :
+ *          1  :  replacement = replacement part of s/// operator
+ *                              in perl syntax
+ *          2  :  errptr = pointer to an integer in which error
+ *                         conditions can be returned.
+ *
+ * Returns     :  pcrs_substitute data structure, or NULL if an
+ *                error is encountered. In that case, *errptr has
+ *                the reason.
+ *
+ *********************************************************************/
+extern pcrs_substitute *pcrs_compile_fuzzed_replacement(const char *replacement, int *errptr)
+{
+   int capturecount = PCRS_MAX_SUBMATCHES; /* XXX: fuzzworthy? */
+   int trivial_flag = 0; /* We don't want to fuzz strncpy() */
+
+   *errptr = 0; /* XXX: Should pcrs_compile_replacement() do this? */
+
+   return pcrs_compile_replacement(replacement, trivial_flag, capturecount, errptr);
+
+}
+#endif
+
+
 /*********************************************************************
  *
  * Function    :  pcrs_compile_replacement
@@ -209,10 +238,13 @@ static int pcrs_parse_perl_options(const char *optstring, int *flags)
 static pcrs_substitute *pcrs_compile_replacement(const char *replacement, int trivialflag, int capturecount, int *errptr)
 {
    int i, k, l, quoted;
-   size_t length;
    char *text;
    pcrs_substitute *r;
-
+#ifndef FUZZ
+   size_t length;
+#else
+   static size_t length;
+#endif
    i = k = l = quoted = 0;
 
    /*
@@ -375,8 +407,11 @@ static pcrs_substitute *pcrs_compile_replacement(const char *replacement, int tr
                goto plainchar;
             }
 
+            assert(r->backref[l] < PCRS_MAX_SUBMATCHES + 2);
             /* Valid and in range? -> record */
-            if (0 <= r->backref[l] && r->backref[l] < PCRS_MAX_SUBMATCHES + 2)
+            if ((0 <= r->backref[l]) &&
+               (r->backref[l] < PCRS_MAX_SUBMATCHES + 2) &&
+               (l < PCRS_MAX_SUBMATCHES - 1))
             {
                r->backref_count[r->backref[l]] += 1;
                r->block_offset[++l] = k;