pcre2test: refactor replication implementations

Allow for a nicer fallback in case of syntax errors in the
pattern implementation while avoiding negative values
masquerading as positive ones. While at it, make sure that in non
LP64 environments UINT32_MAX is still considered valid.

Update the data implementation to behave similarly and cleanup
fixes that had accumlated unorganically.

Author: carenas

doc/pcre2test.1

@@ -563,7 +563,9 @@ part of the file. For example:
   \e[abc]{4}
 .sp
 is converted to "abcabcabcabc". This feature does not support nesting. To
-include a closing square bracket in the characters, code it as \ex5D.
+include a closing square bracket in the characters, code it with \ex followed
+by two hexadecimal digits that represent that letter in the character set used
+(e.g. \ex5D for ASCII or UTF-8).
 .P
 A backslash followed by an equals sign marks the end of the subject string and
 the start of a modifier list. For example:
@@ -1286,7 +1288,7 @@ the subject string. For more detail of REG_STARTEND, see the
 \fBpcre2posix\fP
 .\"
 documentation. If the subject string contains binary zeros (coded as escapes
-such as \ex{00} because \fBpcre2test\fP does not support actual binary zeros in
+such as \ex00 because \fBpcre2test\fP does not support actual binary zeros in
 its input), you must use \fBposix_startend\fP to specify its length.
 .
 .

src/pcre2test.c

@@ -343,12 +343,24 @@ ints. They are defined not to be shorter. */
 #define U32OVERFLOW(x) (x == UINT32_MAX)
 #endif
 
+#if ULONG_MAX > UINT32_MAX
+#define U32OVERFLOWE(x) U32OVERFLOW(x)
+#else
+#define U32OVERFLOWE(x) (errno != 0 && x == UINT32_MAX)
+#endif
+
 #if LONG_MAX > INT32_MAX
-#define S32OVERFLOW(x) (x > INT32_MAX || x < INT32_MIN)
+#define S32OVERFLOW(x) (x > INT32_MAX || INT32_MIN > x)
 #else
 #define S32OVERFLOW(x) (x == INT32_MAX || x == INT32_MIN)
 #endif
 
+#if LONG_MAX > INT32_MAX
+#define S32OVERFLOWE(x) S32OVERFLOW(x)
+#else
+#define S32OVERFLOWE(x) (errno != 0 && (x == INT32_MAX || x == INT32_MIN))
+#endif
+
 /* When PCRE2_CODE_UNIT_WIDTH is zero, pcre2_internal.h does not include
 pcre2_intmodedep.h, which is where mode-dependent macros and structures are
 defined. We can now include it for each supported code unit width. Because
@@ -6007,7 +6019,6 @@ static int
 process_pattern(void)
 {
 BOOL utf;
-uint32_t k;
 uint8_t *p = buffer;
 unsigned int delimiter = *p++;
 int errorcode;
@@ -6100,7 +6111,7 @@ if (pat_patctl.convert_type != CONVERT_UNSET &&
 /* Check for mutually exclusive control modifiers. At present, these are all in
 the first control word. */
 
-for (k = 0; k < sizeof(exclusive_pat_controls)/sizeof(uint32_t); k++)
+for (uint32_t k = 0; k < sizeof(exclusive_pat_controls)/sizeof(uint32_t); k++)
   {
   uint32_t c = pat_patctl.control & exclusive_pat_controls[k];
   if (c != 0 && c != (c & (~c+1)))
@@ -6198,54 +6209,62 @@ else if ((pat_patctl.control & CTL_EXPAND) != 0)
     uint8_t *pc = pp;
     uint32_t count = 1;
     size_t length = 1;
+    size_t m = 1;
 
     /* Check for replication syntax; if not found, the defaults just set will
-    prevail and one character will be copied. */
+    prevail and `length` characters will be copied once. */
 
     if (pp[0] == '\\' && pp[1] == '[')
       {
       uint8_t *pe;
-      for (pe = pp + 2; *pe != 0; pe++)
+
+      /* Start the capture after skipping the prefix. This pointer will need
+      to be rolled back if a syntax problem is found later. */
+      pc += 2;
+      for (pe = pc; *pe != 0; pe++)
         {
-        if (pe[0] == ']' && pe[1] == '{')
+        if (pe[0] == ']' && pe[1] == '{' && isdigit(pe[2]))
           {
-          size_t clen = pe - pc - 2;
-          uint32_t i = 0;
           unsigned long uli;
           char *endptr;
 
-          pe += 2;
-          uli = strtoul((const char *)pe, &endptr, 10);
-          if (U32OVERFLOW(uli))
+          errno = 0;
+          uli = strtoul((const char *)pe + 2, &endptr, 10);
+          if (uli == 0 || U32OVERFLOWE(uli))
             {
-            fprintf(outfile, "** Pattern repeat count too large\n");
+            fprintf(outfile, "** Invalid replication count (1..UINT_MAX)\n");
             return PR_SKIP;
             }
 
-          i = (uint32_t)uli;
-          pe = (uint8_t *)endptr;
-          if (*pe == '}')
+          if (*endptr == '}') count = (uint32_t)uli;
+          length = pe - pc;
+          if (length >= SIZE_MAX/count)
             {
-            if (i == 0)
-              {
-              fprintf(outfile, "** Zero repeat not allowed\n");
-              return PR_SKIP;
-              }
-            pc += 2;
-            count = i;
-            length = clen;
-            pp = pe;
-            break;
+            fprintf(outfile, "** Expanded content too large\n");
+            return PR_SKIP;
             }
+          pe = (uint8_t *)endptr;
+          break;
           }
         }
+      if (*pe != '}')
+        {
+        pc -= 2;
+        length = pe - pc;
+        }
+      m = length * count;
+      pp = pe;
+
+      /* The main loop increments pp, so if we are already at the end of
+      the pattern need to backtrack to avoid jumping over the NUL. */
+      if (*pe == 0) pp--;
       }
 
     /* Add to output. If the buffer is too small expand it. The function for
     expanding buffers always keeps buffer and pbuffer8 in step as far as their
     size goes. */
 
-    while (pt + count * length > pbuffer8 + pbuffer8_size)
+    while (pt + m > pbuffer8 + pbuffer8_size)
       {
       size_t pc_offset = pc - buffer;
       size_t pp_offset = pp - buffer;
@@ -7990,7 +8009,7 @@ process_data(void)
 {
 PCRE2_SIZE len, ulen, arg_ulen;
 uint32_t gmatched;
-uint32_t c, k;
+uint32_t c;
 uint32_t g_notempty = 0;
 uint8_t *p, *pp, *start_rep;
 size_t needlen;
@@ -8121,14 +8140,15 @@ while ((c = *p++) != 0)
 
     if (*p++ != '{')
       {
-      fprintf(outfile, "** Expected '{' after \\[....]\n");
+      fprintf(outfile, "** Expected '{' after \\[...]\n");
       return PR_OK;
       }
 
+    errno = 0;
     li = strtol((const char *)p, &endptr, 10);
-    if (S32OVERFLOW(li))
+    if (!isdigit(*p) || errno != 0 || li < 1 || S32OVERFLOW(li))
       {
-      fprintf(outfile, "** Repeat count too large\n");
+      fprintf(outfile, "** Replication count missing or invalid (1..INT_MAX)\n");
       return PR_OK;
       }
     i = (int)li;
@@ -8140,44 +8160,41 @@ while ((c = *p++) != 0)
       return PR_OK;
       }
 
-    if (i-- <= 0)
+    if (i-- > 1)
       {
-      fprintf(outfile, "** Zero or negative repeat not allowed\n");
-      return PR_OK;
-      }
-
-    replen = CAST8VAR(q) - start_rep;
-    if (i > 0 && replen > (SIZE_MAX - needlen) / i)
-      {
-      fprintf(outfile, "** Expanded content too large\n");
-      return PR_OK;
-      }
-    needlen += replen * i;
-
-    if (needlen >= dbuffer_size)
-      {
-      size_t qoffset = CAST8VAR(q) - dbuffer;
-      size_t rep_offset = start_rep - dbuffer;
-      while (needlen >= dbuffer_size)
+      replen = CAST8VAR(q) - start_rep;
+      if (replen >= (SIZE_MAX - needlen) / i)
         {
-        if (dbuffer_size < SIZE_MAX/2) dbuffer_size *= 2;
-          else dbuffer_size = needlen + 1;
+        fprintf(outfile, "** Expanded content too large\n");
+        return PR_OK;
         }
-      dbuffer = (uint8_t *)realloc(dbuffer, dbuffer_size);
-      if (dbuffer == NULL)
+      needlen += replen * i;
+
+      if (needlen >= dbuffer_size)
         {
-        fprintf(stderr, "pcre2test: realloc(%" SIZ_FORM ") failed\n",
-          dbuffer_size);
-        exit(1);
+        size_t qoffset = CAST8VAR(q) - dbuffer;
+        size_t rep_offset = start_rep - dbuffer;
+        while (needlen >= dbuffer_size)
+          {
+          if (dbuffer_size < SIZE_MAX / 2) dbuffer_size *= 2;
+            else dbuffer_size = needlen + 1;
+          }
+        dbuffer = (uint8_t *)realloc(dbuffer, dbuffer_size);
+        if (dbuffer == NULL)
+          {
+          fprintf(stderr, "pcre2test: realloc(%" SIZ_FORM ") failed\n",
+            dbuffer_size);
+          exit(1);
+          }
+        SETCASTPTR(q, dbuffer + qoffset);
+        start_rep = dbuffer + rep_offset;
         }
-      SETCASTPTR(q, dbuffer + qoffset);
-      start_rep = dbuffer + rep_offset;
-      }
 
-    while (i-- > 0)
-      {
-      memcpy(CAST8VAR(q), start_rep, replen);
-      SETPLUS(q, replen/code_unit_size);
+      while (i-- > 0)
+        {
+        memcpy(CAST8VAR(q), start_rep, replen);
+        SETPLUS(q, replen/code_unit_size);
+        }
       }
 
     start_rep = NULL;
@@ -8458,7 +8475,7 @@ if (dat_datctl.substitute_skip != 0 || dat_datctl.substitute_stop != 0)
 /* Check for mutually exclusive modifiers. At present, these are all in the
 first control word. */
 
-for (k = 0; k < sizeof(exclusive_dat_controls)/sizeof(uint32_t); k++)
+for (uint32_t k = 0; k < sizeof(exclusive_dat_controls)/sizeof(uint32_t); k++)
   {
   c = dat_datctl.control & exclusive_dat_controls[k];
   if (c != 0 && c != (c & (~c+1)))

testdata/testinput2

@@ -4589,9 +4589,6 @@
 /(abc)*/
     \[abc]{1}
 
-/(abc)*/
-    \[abc]{0}
-
 /^/gm
     \n\n\n
 
@@ -5136,12 +5133,29 @@ a)"xI
 \= Expect no match
     abc
 
+# Expand tests
+
+/(abc)*/
+    \[abc]{0}
+    \[abc]{}
+
 /aaa/
-\[abc]{10000000000000000000000000000}
-\[a]{3}
+    \[X]{-10}
+    \[abc]{10000000000000000000000000000}
+    \[a]{3}
 
 /\[AB]{6000000000000000000000}/expand
 
+/\[AB]{0000000000000000000000}/expand
+
+/a\[b]{-1}/BI,expand
+
+/a\[b]{/BI,expand
+
+/a\[/BI,expand
+
+//BI,expand
+
 # Hex uses pattern length, not zero-terminated. This tests for overrunning
 # the given length of a pattern.
 
@@ -6324,9 +6338,6 @@ a)"xI
 /[Aa]{2,3}/BI
     aabcd
 
---
-    \[X]{-10}
-    
 # Check imposition of maximum by match_data_create().
 
 /abcd/