1 Description: PCRE Library Stack Overflow Vulnerability
2 Fix compiler crash/misbehaviour for zero-repeated groups that
3 include a recursive back reference.
4 Origin: backport, http://vcs.pcre.org/pcre?view=revision&revision=1495
5 Bug: https://bugs.exim.org/show_bug.cgi?id=1503
7 Last-Update: 2015-09-10
12 @@ -8241,12 +8241,16 @@ for (;;)
14 /* If it was a capturing subpattern, check to see if it contained any
15 recursive back references. If so, we must wrap it in atomic brackets.
16 - In any event, remove the block from the chain. */
17 + Because we are moving code along, we must ensure that any pending recursive
18 + references are updated. In any event, remove the block from the chain. */
22 if (cd->open_caps->flag)
25 + adjust_recurse(start_bracket, 1 + LINK_SIZE,
26 + (options & PCRE_UTF8) != 0, cd, cd->hwm);
27 memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
28 IN_UCHARS(code - start_bracket));
29 *start_bracket = OP_ONCE;
30 --- a/testdata/testinput11
31 +++ b/testdata/testinput11
32 @@ -132,4 +132,6 @@ is required for these tests. --/
34 /abc(d|e)(*THEN)x(123(*THEN)4|567(b|q)(*THEN)xx)/B
36 +/(((a\2)|(a*)\g<-1>))*a?/B
38 /-- End of testinput11 --/
39 --- a/testdata/testinput2
40 +++ b/testdata/testinput2
41 @@ -4035,6 +4035,8 @@ backtracking verbs. --/
45 +/(((a\2)|(a*)\g<-1>))*a?/BZ
47 /-- Test the ugly "start or end of word" compatibility syntax --/
50 --- a/testdata/testoutput11-16
51 +++ b/testdata/testoutput11-16
52 @@ -709,4 +709,28 @@ Memory allocation (code space): 14
54 ------------------------------------------------------------------
56 +/(((a\2)|(a*)\g<-1>))*a?/B
57 +------------------------------------------------------------------
78 +------------------------------------------------------------------
80 /-- End of testinput11 --/
81 --- a/testdata/testoutput11-32
82 +++ b/testdata/testoutput11-32
83 @@ -709,4 +709,28 @@ Memory allocation (code space): 28
85 ------------------------------------------------------------------
87 +/(((a\2)|(a*)\g<-1>))*a?/B
88 +------------------------------------------------------------------
109 +------------------------------------------------------------------
111 /-- End of testinput11 --/
112 --- a/testdata/testoutput11-8
113 +++ b/testdata/testoutput11-8
114 @@ -709,4 +709,28 @@ Memory allocation (code space): 10
116 ------------------------------------------------------------------
118 +/(((a\2)|(a*)\g<-1>))*a?/B
119 +------------------------------------------------------------------
140 +------------------------------------------------------------------
142 /-- End of testinput11 --/
143 --- a/testdata/testoutput2
144 +++ b/testdata/testoutput2
145 @@ -14093,6 +14093,30 @@ Failed: malformed number or name after (
147 Failed: group name must start with a non-digit at offset 5
149 +/(((a\2)|(a*)\g<-1>))*a?/BZ
150 +------------------------------------------------------------------
171 +------------------------------------------------------------------
173 /-- Test the ugly "start or end of word" compatibility syntax --/
175 /[[:<:]]red[[:>:]]/BZ