]>
Commit | Line | Data |
---|---|---|
5929298e MT |
1 | From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 |
2 | From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | |
3 | Date: Fri, 15 May 2015 17:17:03 +0000 | |
4 | Subject: [PATCH] Fix buffer overflow for named recursive back reference when | |
5 | the name is duplicated. | |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | Upstream commit ported to pcre-8.37: | |
11 | ||
12 | commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 | |
13 | Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | |
14 | Date: Fri May 15 17:17:03 2015 +0000 | |
15 | ||
16 | Fix buffer overflow for named recursive back reference when the name is | |
17 | duplicated. | |
18 | ||
19 | git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 | |
20 | ||
21 | This fixes CVE-2015-3210. | |
22 | ||
23 | Signed-off-by: Petr Písař <ppisar@redhat.com> | |
24 | --- | |
25 | pcre_compile.c | 16 ++++++++++++++-- | |
26 | testdata/testinput2 | 2 ++ | |
27 | testdata/testoutput2 | 2 ++ | |
28 | 3 files changed, 18 insertions(+), 2 deletions(-) | |
29 | ||
30 | diff --git a/pcre_compile.c b/pcre_compile.c | |
31 | index 0efad26..6f06912 100644 | |
32 | --- a/pcre_compile.c | |
33 | +++ b/pcre_compile.c | |
34 | @@ -7173,14 +7173,26 @@ for (;; ptr++) | |
35 | number. If the name is not found, set the value to 0 for a forward | |
36 | reference. */ | |
37 | ||
38 | + recno = 0; | |
39 | ng = cd->named_groups; | |
40 | for (i = 0; i < cd->names_found; i++, ng++) | |
41 | { | |
42 | if (namelen == ng->length && | |
43 | STRNCMP_UC_UC(name, ng->name, namelen) == 0) | |
44 | - break; | |
45 | + { | |
46 | + open_capitem *oc; | |
47 | + recno = ng->number; | |
48 | + if (is_recurse) break; | |
49 | + for (oc = cd->open_caps; oc != NULL; oc = oc->next) | |
50 | + { | |
51 | + if (oc->number == recno) | |
52 | + { | |
53 | + oc->flag = TRUE; | |
54 | + break; | |
55 | + } | |
56 | + } | |
57 | + } | |
58 | } | |
59 | - recno = (i < cd->names_found)? ng->number : 0; | |
60 | ||
61 | /* Count named back references. */ | |
62 | ||
63 | diff --git a/testdata/testinput2 b/testdata/testinput2 | |
64 | index 58fe53b..83bb471 100644 | |
65 | --- a/testdata/testinput2 | |
66 | +++ b/testdata/testinput2 | |
67 | @@ -4152,4 +4152,6 @@ backtracking verbs. --/ | |
68 | ||
69 | /((?2){73}(?2))((?1))/ | |
70 | ||
71 | +"(?J)(?'d'(?'d'\g{d}))" | |
72 | + | |
73 | /-- End of testinput2 --/ | |
74 | diff --git a/testdata/testoutput2 b/testdata/testoutput2 | |
75 | index b718df0..7dff52a 100644 | |
76 | --- a/testdata/testoutput2 | |
77 | +++ b/testdata/testoutput2 | |
78 | @@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 | |
79 | ||
80 | /((?2){73}(?2))((?1))/ | |
81 | ||
82 | +"(?J)(?'d'(?'d'\g{d}))" | |
83 | + | |
84 | /-- End of testinput2 --/ | |
85 | -- | |
86 | 2.4.3 | |
87 |