[pcre3.git] / debian / patches / Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch

Description: CVE-2015-2326: heap buffer overflow in pcre_compile2()
 Fix bad compilation for patterns like /((?+1)(\1))/ with
 forward reference subroutine and recursive back reference within the same
 group.
Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529
Bug: http://bugs.exim.org/show_bug.cgi?id=1592
Bug-Debian: https://bugs.debian.org/783285
Forwarded: not-needed
Last-Update: 2015-09-10
Applied-Upstream: 8.36

--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -8027,6 +8027,7 @@ int length;
 unsigned int orig_bracount;
 unsigned int max_bracount;
 branch_chain bc;
+size_t save_hwm_offset;
 
 /* If set, call the external function that checks for stack availability. */
 
@@ -8044,6 +8045,8 @@ bc.current_branch = code;
 firstchar = reqchar = 0;
 firstcharflags = reqcharflags = REQ_UNSET;
 
+save_hwm_offset = cd->hwm - cd->start_workspace;
+
 /* Accumulate the length for use in the pre-compile phase. Start with the
 length of the BRA and KET and any extra bytes that are required at the
 beginning. We accumulate in a local variable to save frequent testing of
@@ -8246,7 +8249,7 @@ for (;;)
         {
         *code = OP_END;
         adjust_recurse(start_bracket, 1 + LINK_SIZE,
-          (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace);
+          (options & PCRE_UTF8) != 0, cd, save_hwm_offset);
         memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
           IN_UCHARS(code - start_bracket));
         *start_bracket = OP_ONCE;
--- a/testdata/testinput11
+++ b/testdata/testinput11
@@ -134,4 +134,6 @@ is required for these tests. --/
 
 /(((a\2)|(a*)\g<-1>))*a?/B
 
+/((?+1)(\1))/B
+
 /-- End of testinput11 --/
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4066,4 +4066,6 @@ backtracking verbs. --/
 
 "((?2){0,1999}())?"
 
+/((?+1)(\1))/BZ
+
 /-- End of testinput2 --/
--- a/testdata/testoutput11-16
+++ b/testdata/testoutput11-16
@@ -733,4 +733,19 @@ Memory allocation (code space): 14
  41     End
 ------------------------------------------------------------------
 
+/((?+1)(\1))/B
+------------------------------------------------------------------
+  0  20 Bra
+  2  16 Once
+  4  12 CBra 1
+  7   9 Recurse
+  9   5 CBra 2
+ 12     \1
+ 14   5 Ket
+ 16  12 Ket
+ 18  16 Ket
+ 20  20 Ket
+ 22     End
+------------------------------------------------------------------
+
 /-- End of testinput11 --/
--- a/testdata/testoutput11-32
+++ b/testdata/testoutput11-32
@@ -733,4 +733,19 @@ Memory allocation (code space): 28
  41     End
 ------------------------------------------------------------------
 
+/((?+1)(\1))/B
+------------------------------------------------------------------
+  0  20 Bra
+  2  16 Once
+  4  12 CBra 1
+  7   9 Recurse
+  9   5 CBra 2
+ 12     \1
+ 14   5 Ket
+ 16  12 Ket
+ 18  16 Ket
+ 20  20 Ket
+ 22     End
+------------------------------------------------------------------
+
 /-- End of testinput11 --/
--- a/testdata/testoutput11-8
+++ b/testdata/testoutput11-8
@@ -733,4 +733,19 @@ Memory allocation (code space): 10
  60     End
 ------------------------------------------------------------------
 
+/((?+1)(\1))/B
+------------------------------------------------------------------
+  0  31 Bra
+  3  25 Once
+  6  19 CBra 1
+ 11  14 Recurse
+ 14   8 CBra 2
+ 19     \1
+ 22   8 Ket
+ 25  19 Ket
+ 28  25 Ket
+ 31  31 Ket
+ 34     End
+------------------------------------------------------------------
+
 /-- End of testinput11 --/
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste
 
 "((?2){0,1999}())?"
 
+/((?+1)(\1))/BZ
+------------------------------------------------------------------
+        Bra
+        Once
+        CBra 1
+        Recurse
+        CBra 2
+        \1
+        Ket
+        Ket
+        Ket
+        Ket
+        End
+------------------------------------------------------------------
+
 /-- End of testinput2 --/