1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55
|
Description: Fix named forward reference to duplicate group number
overflow bug.
.
Addresses CVE-2015-8385.
Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1559
Forwarded: not-needed
Author: Salvatore Bonaccorso <carnil@debian.org>
Last-Update: 2015-12-28
Applied-Upstream: 3.38
---
pcre_compile.c | 26 +++++++++++++++++---------
testdata/testinput1 | 3 +++
testdata/testoutput1 | 5 +++++
4 files changed, 30 insertions(+), 9 deletions(-)
--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -7107,6 +7107,14 @@ for (;; ptr++)
/* Count named back references. */
if (!is_recurse) cd->namedrefcount++;
+
+ /* If this is a forward reference and we are within a (?|...) group,
+ the reference may end up as the number of a group which we are
+ currently inside, that is, it could be a recursive reference. In the
+ real compile this will be picked up and the reference wrapped with
+ OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
}
/* In the real compile, search the name table. We check the name
--- a/testdata/testinput1
+++ b/testdata/testinput1
@@ -5672,4 +5672,7 @@ AbcdCBefgBhiBqz
/(a\Kb)*/+
ababc
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+
/-- End of testinput1 --/
--- a/testdata/testoutput1
+++ b/testdata/testoutput1
@@ -9323,4 +9323,9 @@ No match
0+ c
1: ab
+"(?|(\k'Pm')|(?'Pm'))"
+ abcd
+ 0:
+ 1:
+
/-- End of testinput1 --/
|