1 Description: CVE-2015-2326: heap buffer overflow in pcre_compile2()
2 Fix bad compilation for patterns like /((?+1)(\1))/ with
3 forward reference subroutine and recursive back reference within the same
5 Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529
6 Bug: http://bugs.exim.org/show_bug.cgi?id=1592
7 Bug-Debian: https://bugs.debian.org/783285
9 Last-Update: 2015-09-10
10 Applied-Upstream: 8.36
14 @@ -8027,6 +8027,7 @@ int length;
15 unsigned int orig_bracount;
16 unsigned int max_bracount;
18 +size_t save_hwm_offset;
20 /* If set, call the external function that checks for stack availability. */
22 @@ -8044,6 +8045,8 @@ bc.current_branch = code;
23 firstchar = reqchar = 0;
24 firstcharflags = reqcharflags = REQ_UNSET;
26 +save_hwm_offset = cd->hwm - cd->start_workspace;
28 /* Accumulate the length for use in the pre-compile phase. Start with the
29 length of the BRA and KET and any extra bytes that are required at the
30 beginning. We accumulate in a local variable to save frequent testing of
31 @@ -8246,7 +8249,7 @@ for (;;)
34 adjust_recurse(start_bracket, 1 + LINK_SIZE,
35 - (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace);
36 + (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
37 memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
38 IN_UCHARS(code - start_bracket));
39 *start_bracket = OP_ONCE;
40 --- a/testdata/testinput11
41 +++ b/testdata/testinput11
42 @@ -134,4 +134,6 @@ is required for these tests. --/
44 /(((a\2)|(a*)\g<-1>))*a?/B
48 /-- End of testinput11 --/
49 --- a/testdata/testinput2
50 +++ b/testdata/testinput2
51 @@ -4066,4 +4066,6 @@ backtracking verbs. --/
57 /-- End of testinput2 --/
58 --- a/testdata/testoutput11-16
59 +++ b/testdata/testoutput11-16
60 @@ -733,4 +733,19 @@ Memory allocation (code space): 14
62 ------------------------------------------------------------------
65 +------------------------------------------------------------------
77 +------------------------------------------------------------------
79 /-- End of testinput11 --/
80 --- a/testdata/testoutput11-32
81 +++ b/testdata/testoutput11-32
82 @@ -733,4 +733,19 @@ Memory allocation (code space): 28
84 ------------------------------------------------------------------
87 +------------------------------------------------------------------
99 +------------------------------------------------------------------
101 /-- End of testinput11 --/
102 --- a/testdata/testoutput11-8
103 +++ b/testdata/testoutput11-8
104 @@ -733,4 +733,19 @@ Memory allocation (code space): 10
106 ------------------------------------------------------------------
109 +------------------------------------------------------------------
121 +------------------------------------------------------------------
123 /-- End of testinput11 --/
124 --- a/testdata/testoutput2
125 +++ b/testdata/testoutput2
126 @@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste
131 +------------------------------------------------------------------
143 +------------------------------------------------------------------
145 /-- End of testinput2 --/