Package: pcre3 / 2:8.35-3.3

cve-2014-8964.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Description: CVE-2014-8964, heap buffer overflow
 Heap buffer overflow if an assertion with a zero minimum repeat is used as
 the condition in a conditional group.
Origin: upstream http://bugs.exim.org/show_bug.cgi?id=1546
Bug: http://bugs.exim.org/show_bug.cgi?id=1546
Applied-Upstream: Yes, after 8.36
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/pcre_exec.c
+++ b/pcre_exec.c
@@ -1404,8 +1404,11 @@
         condition = TRUE;
 
         /* Advance ecode past the assertion to the start of the first branch,
-        but adjust it so that the general choosing code below works. */
+        but adjust it so that the general choosing code below works. If the
+	assertion has a quantifier that allows zero repeats we must skip over
+	the BRAZERO. This is a lunatic thing to do, but somebody did! */
 
+	if (*ecode == OP_BRAZERO) ecode++;
         ecode += GET(ecode, 1);
         while (*ecode == OP_ALT) ecode += GET(ecode, 1);
         ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];