]>
Commit | Line | Data |
---|---|---|
191976ef MT |
1 | From f6efcf125123199d446c5561266c3c3846ed9f30 Mon Sep 17 00:00:00 2001 |
2 | From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | |
3 | Date: Wed, 3 Jun 2015 16:51:59 +0000 | |
4 | Subject: [PATCH] Fix another buffer overflow. | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | Ported to 8.37: | |
10 | ||
11 | commit 225f0d5eb16c7a26591a1e3f286c7476907b5a6a | |
12 | Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | |
13 | Date: Wed Jun 3 16:51:59 2015 +0000 | |
14 | ||
15 | Fix another buffer overflow. | |
16 | ||
17 | git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1562 2f5784b3-3f2a-0410-8824-cb99058d5e15 | |
18 | ||
19 | Signed-off-by: Petr Písař <ppisar@redhat.com> | |
20 | --- | |
21 | pcre_compile.c | 7 ++++++- | |
22 | testdata/testinput2 | 2 ++ | |
23 | testdata/testoutput11-16 | 2 +- | |
24 | testdata/testoutput11-32 | 2 +- | |
25 | testdata/testoutput11-8 | 2 +- | |
26 | testdata/testoutput2 | 2 ++ | |
27 | 6 files changed, 13 insertions(+), 4 deletions(-) | |
28 | ||
29 | diff --git a/pcre_compile.c b/pcre_compile.c | |
30 | index 8b4aaef..f5d2384 100644 | |
31 | --- a/pcre_compile.c | |
32 | +++ b/pcre_compile.c | |
33 | @@ -7210,7 +7210,12 @@ for (;; ptr++) | |
34 | real compile this will be picked up and the reference wrapped with | |
35 | OP_ONCE to make it atomic, so we must space in case this occurs. */ | |
36 | ||
37 | - if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; | |
38 | + /* In fact, this can happen for a non-forward reference because | |
39 | + another group with the same number might be created later. This | |
40 | + issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance | |
41 | + only mode, we finesse the bug by allowing more memory always. */ | |
42 | + | |
43 | + /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; | |
44 | } | |
45 | ||
46 | /* In the real compile, search the name table. We check the name | |
47 | diff --git a/testdata/testinput2 b/testdata/testinput2 | |
48 | index 5cc9ce6..e12de3a 100644 | |
49 | --- a/testdata/testinput2 | |
50 | +++ b/testdata/testinput2 | |
51 | @@ -4156,4 +4156,6 @@ backtracking verbs. --/ | |
52 | ||
53 | /(?=di(?<=(?1))|(?=(.))))/ | |
54 | ||
55 | +"(?J:(?|(?'R')(\k'R')|((?'R'))))" | |
56 | + | |
57 | /-- End of testinput2 --/ | |
58 | diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 | |
59 | index 422f2ad..e222e7c 100644 | |
60 | --- a/testdata/testoutput11-16 | |
61 | +++ b/testdata/testoutput11-16 | |
62 | @@ -231,7 +231,7 @@ Memory allocation (code space): 73 | |
63 | ------------------------------------------------------------------ | |
64 | ||
65 | /(?P<a>a)...(?P=a)bbb(?P>a)d/BM | |
66 | -Memory allocation (code space): 61 | |
67 | +Memory allocation (code space): 77 | |
68 | ------------------------------------------------------------------ | |
69 | 0 24 Bra | |
70 | 2 5 CBra 1 | |
71 | diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 | |
72 | index d953ec8..9a80ec9 100644 | |
73 | --- a/testdata/testoutput11-32 | |
74 | +++ b/testdata/testoutput11-32 | |
75 | @@ -231,7 +231,7 @@ Memory allocation (code space): 155 | |
76 | ------------------------------------------------------------------ | |
77 | ||
78 | /(?P<a>a)...(?P=a)bbb(?P>a)d/BM | |
79 | -Memory allocation (code space): 125 | |
80 | +Memory allocation (code space): 157 | |
81 | ------------------------------------------------------------------ | |
82 | 0 24 Bra | |
83 | 2 5 CBra 1 | |
84 | diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 | |
85 | index 6ec18ec..3adaca2 100644 | |
86 | --- a/testdata/testoutput11-8 | |
87 | +++ b/testdata/testoutput11-8 | |
88 | @@ -231,7 +231,7 @@ Memory allocation (code space): 45 | |
89 | ------------------------------------------------------------------ | |
90 | ||
91 | /(?P<a>a)...(?P=a)bbb(?P>a)d/BM | |
92 | -Memory allocation (code space): 38 | |
93 | +Memory allocation (code space): 50 | |
94 | ------------------------------------------------------------------ | |
95 | 0 30 Bra | |
96 | 3 7 CBra 1 | |
97 | diff --git a/testdata/testoutput2 b/testdata/testoutput2 | |
98 | index 4decb8d..5bad26c 100644 | |
99 | --- a/testdata/testoutput2 | |
100 | +++ b/testdata/testoutput2 | |
101 | @@ -14428,4 +14428,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 | |
102 | /(?=di(?<=(?1))|(?=(.))))/ | |
103 | Failed: unmatched parentheses at offset 23 | |
104 | ||
105 | +"(?J:(?|(?'R')(\k'R')|((?'R'))))" | |
106 | + | |
107 | /-- End of testinput2 --/ | |
108 | -- | |
109 | 2.4.3 | |
110 |