Description: CVE-2016-1283: heap buffer overflow in handling of duplicate named groups
Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1636
Bug: https://bugs.exim.org/show_bug.cgi?id=1767
Bug-Debian: https://bugs.debian.org/809706
Forwarded: not-needed
Author: Philip Hazel <ph10@cam.ac.uk>
Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2016-03-25
Applied-Upstream: 8.39
---

--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -7133,7 +7133,12 @@ for (;; ptr++)
           so far in order to get the number. If the name is not found, leave
           the value of recno as 0 for a forward reference. */
            
-          else
+          /* This patch (removing "else") fixes a problem when a reference is
+          to multiple identically named nested groups from within the nest.
+          Once again, it is not the "proper" fix, and it results in an
+          over-allocation of memory. */
+
+          /* else */
             { 
             ng = cd->named_groups;
             for (i = 0; i < cd->names_found; i++, ng++)
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4110,4 +4110,6 @@ backtracking verbs. --/
 
 /\x{whatever}/
 
+/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
+
 /-- End of testinput2 --/
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14243,4 +14243,6 @@ Failed: digits missing in \x{} or \o{} a
 /\x{whatever}/
 Failed: non-hex character in \x{} (closing brace missing?) at offset 3
 
+/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
+
 /-- End of testinput2 --/