debian/patches/Fix-buffer-overflow-for-named-recursive-back-referen.patch

   1 Description: CVE-2015-3210: heap buffer overflow in pcre_compile2() / compile_regex()
   2  Fix buffer overflow for named recursive back reference when
   3  the name is duplicated.
   4 Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1558
   5 Bug: https://bugs.exim.org/show_bug.cgi?id=1636
   6 Bug-Debian: https://bugs.debian.org/787433
   7 Forwarded: not-needed
   8 Last-Update: 2015-09-10
   9 Applied-Upstream: not-yet (8.38)
  10
  11 --- a/pcre_compile.c
  12 +++ b/pcre_compile.c
  13 @@ -7082,14 +7082,26 @@ for (;; ptr++)
  14            number. If the name is not found, set the value to 0 for a forward
  15            reference. */
  16
  17 +          recno = 0;
  18            ng = cd->named_groups;
  19            for (i = 0; i < cd->names_found; i++, ng++)
  20              {
  21              if (namelen == ng->length &&
  22                  STRNCMP_UC_UC(name, ng->name, namelen) == 0)
  23 -              break;
  24 +              {
  25 +              open_capitem *oc;
  26 +              recno = ng->number;
  27 +              if (is_recurse) break;
  28 +              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
  29 +                {
  30 +                if (oc->number == recno)
  31 +                  {
  32 +                  oc->flag = TRUE;
  33 +                  break;
  34 +                  }
  35 +                }
  36 +              }
  37              }
  38 -          recno = (i < cd->names_found)? ng->number : 0;
  39
  40            /* Count named back references. */
  41
  42 --- a/testdata/testinput2
  43 +++ b/testdata/testinput2
  44 @@ -4068,4 +4068,6 @@ backtracking verbs. --/
  45
  46  /((?+1)(\1))/BZ
  47
  48 +"(?J)(?'d'(?'d'\g{d}))"
  49 +
  50  /-- End of testinput2 --/
  51 --- a/testdata/testoutput2
  52 +++ b/testdata/testoutput2
  53 @@ -14190,4 +14190,6 @@ Failed: parentheses are too deeply neste
  54          End
  55  ------------------------------------------------------------------
  56
  57 +"(?J)(?'d'(?'d'\g{d}))"
  58 +
  59  /-- End of testinput2 --/