--- /dev/null
+Description: CVE-2015-3210: heap buffer overflow in pcre_compile2() / compile_regex()
+ Fix buffer overflow for named recursive back reference when
+ the name is duplicated.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1558
+Bug: https://bugs.exim.org/show_bug.cgi?id=1636
+Bug-Debian: https://bugs.debian.org/787433
+Forwarded: not-needed
+Last-Update: 2015-09-10
+Applied-Upstream: not-yet (8.38)
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7082,14 +7082,26 @@ for (;; ptr++)
+ number. If the name is not found, set the value to 0 for a forward
+ reference. */
+
++ recno = 0;
+ ng = cd->named_groups;
+ for (i = 0; i < cd->names_found; i++, ng++)
+ {
+ if (namelen == ng->length &&
+ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+- break;
++ {
++ open_capitem *oc;
++ recno = ng->number;
++ if (is_recurse) break;
++ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
++ {
++ if (oc->number == recno)
++ {
++ oc->flag = TRUE;
++ break;
++ }
++ }
++ }
+ }
+- recno = (i < cd->names_found)? ng->number : 0;
+
+ /* Count named back references. */
+
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4068,4 +4068,6 @@ backtracking verbs. --/
+
+ /((?+1)(\1))/BZ
+
++"(?J)(?'d'(?'d'\g{d}))"
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14190,4 +14190,6 @@ Failed: parentheses are too deeply neste
+ End
+ ------------------------------------------------------------------
+
++"(?J)(?'d'(?'d'\g{d}))"
++
+ /-- End of testinput2 --/
~ian / pcre3.git / blobdiff