+++ /dev/null
-From f6efcf125123199d446c5561266c3c3846ed9f30 Mon Sep 17 00:00:00 2001
-From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Wed, 3 Jun 2015 16:51:59 +0000
-Subject: [PATCH] Fix another buffer overflow.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ported to 8.37:
-
-commit 225f0d5eb16c7a26591a1e3f286c7476907b5a6a
-Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Wed Jun 3 16:51:59 2015 +0000
-
- Fix another buffer overflow.
-
- git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1562 2f5784b3-3f2a-0410-8824-cb99058d5e15
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- pcre_compile.c | 7 ++++++-
- testdata/testinput2 | 2 ++
- testdata/testoutput11-16 | 2 +-
- testdata/testoutput11-32 | 2 +-
- testdata/testoutput11-8 | 2 +-
- testdata/testoutput2 | 2 ++
- 6 files changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/pcre_compile.c b/pcre_compile.c
-index 8b4aaef..f5d2384 100644
---- a/pcre_compile.c
-+++ b/pcre_compile.c
-@@ -7210,7 +7210,12 @@ for (;; ptr++)
- real compile this will be picked up and the reference wrapped with
- OP_ONCE to make it atomic, so we must space in case this occurs. */
-
-- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
-+ /* In fact, this can happen for a non-forward reference because
-+ another group with the same number might be created later. This
-+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
-+ only mode, we finesse the bug by allowing more memory always. */
-+
-+ /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
- }
-
- /* In the real compile, search the name table. We check the name
-diff --git a/testdata/testinput2 b/testdata/testinput2
-index 5cc9ce6..e12de3a 100644
---- a/testdata/testinput2
-+++ b/testdata/testinput2
-@@ -4156,4 +4156,6 @@ backtracking verbs. --/
-
- /(?=di(?<=(?1))|(?=(.))))/
-
-+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
-+
- /-- End of testinput2 --/
-diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16
-index 422f2ad..e222e7c 100644
---- a/testdata/testoutput11-16
-+++ b/testdata/testoutput11-16
-@@ -231,7 +231,7 @@ Memory allocation (code space): 73
- ------------------------------------------------------------------
-
- /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
--Memory allocation (code space): 61
-+Memory allocation (code space): 77
- ------------------------------------------------------------------
- 0 24 Bra
- 2 5 CBra 1
-diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32
-index d953ec8..9a80ec9 100644
---- a/testdata/testoutput11-32
-+++ b/testdata/testoutput11-32
-@@ -231,7 +231,7 @@ Memory allocation (code space): 155
- ------------------------------------------------------------------
-
- /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
--Memory allocation (code space): 125
-+Memory allocation (code space): 157
- ------------------------------------------------------------------
- 0 24 Bra
- 2 5 CBra 1
-diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8
-index 6ec18ec..3adaca2 100644
---- a/testdata/testoutput11-8
-+++ b/testdata/testoutput11-8
-@@ -231,7 +231,7 @@ Memory allocation (code space): 45
- ------------------------------------------------------------------
-
- /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
--Memory allocation (code space): 38
-+Memory allocation (code space): 50
- ------------------------------------------------------------------
- 0 30 Bra
- 3 7 CBra 1
-diff --git a/testdata/testoutput2 b/testdata/testoutput2
-index 4decb8d..5bad26c 100644
---- a/testdata/testoutput2
-+++ b/testdata/testoutput2
-@@ -14428,4 +14428,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
- /(?=di(?<=(?1))|(?=(.))))/
- Failed: unmatched parentheses at offset 23
-
-+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
-+
- /-- End of testinput2 --/
---
-2.4.3
-
+++ /dev/null
-From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001
-From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Tue, 23 Jun 2015 16:34:53 +0000
-Subject: [PATCH] Fix buffer overflow for forward reference within backward
- assertion with excess closing parenthesis. Bugzilla 1651.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-This is upstream commit ported to 8.37:
-
-commit 764692f9aea9eab50fdba6cb537441d8b34c6c37
-Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Tue Jun 23 16:34:53 2015 +0000
-
- Fix buffer overflow for forward reference within backward assertion with excess
- closing parenthesis. Bugzilla 1651.
-
- git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15
-
-It fixes CVE-2015-5073.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- pcre_compile.c | 2 +-
- testdata/testinput2 | 2 ++
- testdata/testoutput2 | 3 +++
- 3 files changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/pcre_compile.c b/pcre_compile.c
-index 6f06912..b66b1f6 100644
---- a/pcre_compile.c
-+++ b/pcre_compile.c
-@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The
- exceptional ones forgo this. We scan the pattern to check that they are fixed
- length, and set their lengths. */
-
--if (cd->check_lookbehind)
-+if (errorcode == 0 && cd->check_lookbehind)
- {
- pcre_uchar *cc = (pcre_uchar *)codestart;
-
-diff --git a/testdata/testinput2 b/testdata/testinput2
-index 83bb471..5cc9ce6 100644
---- a/testdata/testinput2
-+++ b/testdata/testinput2
-@@ -4154,4 +4154,6 @@ backtracking verbs. --/
-
- "(?J)(?'d'(?'d'\g{d}))"
-
-+/(?=di(?<=(?1))|(?=(.))))/
-+
- /-- End of testinput2 --/
-diff --git a/testdata/testoutput2 b/testdata/testoutput2
-index 7dff52a..4decb8d 100644
---- a/testdata/testoutput2
-+++ b/testdata/testoutput2
-@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17
-
- "(?J)(?'d'(?'d'\g{d}))"
-
-+/(?=di(?<=(?1))|(?=(.))))/
-+Failed: unmatched parentheses at offset 23
-+
- /-- End of testinput2 --/
---
-2.4.3
-
+++ /dev/null
-From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001
-From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Fri, 15 May 2015 17:17:03 +0000
-Subject: [PATCH] Fix buffer overflow for named recursive back reference when
- the name is duplicated.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Upstream commit ported to pcre-8.37:
-
-commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19
-Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Fri May 15 17:17:03 2015 +0000
-
- Fix buffer overflow for named recursive back reference when the name is
- duplicated.
-
- git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15
-
-This fixes CVE-2015-3210.
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- pcre_compile.c | 16 ++++++++++++++--
- testdata/testinput2 | 2 ++
- testdata/testoutput2 | 2 ++
- 3 files changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/pcre_compile.c b/pcre_compile.c
-index 0efad26..6f06912 100644
---- a/pcre_compile.c
-+++ b/pcre_compile.c
-@@ -7173,14 +7173,26 @@ for (;; ptr++)
- number. If the name is not found, set the value to 0 for a forward
- reference. */
-
-+ recno = 0;
- ng = cd->named_groups;
- for (i = 0; i < cd->names_found; i++, ng++)
- {
- if (namelen == ng->length &&
- STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-- break;
-+ {
-+ open_capitem *oc;
-+ recno = ng->number;
-+ if (is_recurse) break;
-+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-+ {
-+ if (oc->number == recno)
-+ {
-+ oc->flag = TRUE;
-+ break;
-+ }
-+ }
-+ }
- }
-- recno = (i < cd->names_found)? ng->number : 0;
-
- /* Count named back references. */
-
-diff --git a/testdata/testinput2 b/testdata/testinput2
-index 58fe53b..83bb471 100644
---- a/testdata/testinput2
-+++ b/testdata/testinput2
-@@ -4152,4 +4152,6 @@ backtracking verbs. --/
-
- /((?2){73}(?2))((?1))/
-
-+"(?J)(?'d'(?'d'\g{d}))"
-+
- /-- End of testinput2 --/
-diff --git a/testdata/testoutput2 b/testdata/testoutput2
-index b718df0..7dff52a 100644
---- a/testdata/testoutput2
-+++ b/testdata/testoutput2
-@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17
-
- /((?2){73}(?2))((?1))/
-
-+"(?J)(?'d'(?'d'\g{d}))"
-+
- /-- End of testinput2 --/
---
-2.4.3
-
+++ /dev/null
-From b3f0b0dd971314df8f865e221aa1a88e75d6d1a6 Mon Sep 17 00:00:00 2001
-From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Wed, 5 Aug 2015 15:38:32 +0000
-Subject: [PATCH] Fix buffer overflow for named references in (?| situations.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Ported for 8.37:
-
-commit 7af8e8717def179fd7b69e173abd347c1a3547cb
-Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Wed Aug 5 15:38:32 2015 +0000
-
- Fix buffer overflow for named references in (?| situations.
-
- git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1585 2f5784b3-3f2a-0410-8824-cb99058d5e15
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- pcre_compile.c | 74 ++++++++++++++++++++++++++++++----------------------
- pcre_internal.h | 1 +
- testdata/testinput2 | 2 ++
- testdata/testoutput2 | 2 ++
- 4 files changed, 48 insertions(+), 31 deletions(-)
-
-diff --git a/pcre_compile.c b/pcre_compile.c
-index f5d2384..5fe5c1d 100644
---- a/pcre_compile.c
-+++ b/pcre_compile.c
-@@ -6641,6 +6641,7 @@ for (;; ptr++)
- /* ------------------------------------------------------------ */
- case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */
- reset_bracount = TRUE;
-+ cd->dupgroups = TRUE; /* Record (?| encountered */
- /* Fall through */
-
- /* ------------------------------------------------------------ */
-@@ -7151,7 +7152,8 @@ for (;; ptr++)
- if (lengthptr != NULL)
- {
- named_group *ng;
--
-+ recno = 0;
-+
- if (namelen == 0)
- {
- *errorcodeptr = ERR62;
-@@ -7168,32 +7170,6 @@ for (;; ptr++)
- goto FAILED;
- }
-
-- /* The name table does not exist in the first pass; instead we must
-- scan the list of names encountered so far in order to get the
-- number. If the name is not found, set the value to 0 for a forward
-- reference. */
--
-- recno = 0;
-- ng = cd->named_groups;
-- for (i = 0; i < cd->names_found; i++, ng++)
-- {
-- if (namelen == ng->length &&
-- STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-- {
-- open_capitem *oc;
-- recno = ng->number;
-- if (is_recurse) break;
-- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-- {
-- if (oc->number == recno)
-- {
-- oc->flag = TRUE;
-- break;
-- }
-- }
-- }
-- }
--
- /* Count named back references. */
-
- if (!is_recurse) cd->namedrefcount++;
-@@ -7215,7 +7191,44 @@ for (;; ptr++)
- issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
- only mode, we finesse the bug by allowing more memory always. */
-
-- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
-+ *lengthptr += 2 + 2*LINK_SIZE;
-+
-+ /* It is even worse than that. The current reference may be to an
-+ existing named group with a different number (so apparently not
-+ recursive) but which later on is also attached to a group with the
-+ current number. This can only happen if $(| has been previous
-+ encountered. In that case, we allow yet more memory, just in case.
-+ (Again, this is fixed "properly" in PCRE2. */
-+
-+ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
-+
-+ /* Otherwise, check for recursion here. The name table does not exist
-+ in the first pass; instead we must scan the list of names encountered
-+ so far in order to get the number. If the name is not found, leave
-+ the value of recno as 0 for a forward reference. */
-+
-+ else
-+ {
-+ ng = cd->named_groups;
-+ for (i = 0; i < cd->names_found; i++, ng++)
-+ {
-+ if (namelen == ng->length &&
-+ STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-+ {
-+ open_capitem *oc;
-+ recno = ng->number;
-+ if (is_recurse) break;
-+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-+ {
-+ if (oc->number == recno)
-+ {
-+ oc->flag = TRUE;
-+ break;
-+ }
-+ }
-+ }
-+ }
-+ }
- }
-
- /* In the real compile, search the name table. We check the name
-@@ -7262,8 +7275,6 @@ for (;; ptr++)
- for (i++; i < cd->names_found; i++)
- {
- if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break;
--
--
- count++;
- cslot += cd->name_entry_size;
- }
-@@ -9189,6 +9200,7 @@ cd->names_found = 0;
- cd->name_entry_size = 0;
- cd->name_table = NULL;
- cd->dupnames = FALSE;
-+cd->dupgroups = FALSE;
- cd->namedrefcount = 0;
- cd->start_code = cworkspace;
- cd->hwm = cworkspace;
-@@ -9223,7 +9235,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERROR_RETURN;
-
- DPRINTF(("end pre-compile: length=%d workspace=%d\n", length,
- (int)(cd->hwm - cworkspace)));
--
-+
- if (length > MAX_PATTERN_SIZE)
- {
- errorcode = ERR20;
-diff --git a/pcre_internal.h b/pcre_internal.h
-index dd0ac7f..7ca6020 100644
---- a/pcre_internal.h
-+++ b/pcre_internal.h
-@@ -2446,6 +2446,7 @@ typedef struct compile_data {
- BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */
- BOOL check_lookbehind; /* Lookbehinds need later checking */
- BOOL dupnames; /* Duplicate names exist */
-+ BOOL dupgroups; /* Duplicate groups exist: (?| found */
- BOOL iscondassert; /* Next assert is a condition */
- int nltype; /* Newline type */
- int nllen; /* Newline string length */
-diff --git a/testdata/testinput2 b/testdata/testinput2
-index e12de3a..8e044f8 100644
---- a/testdata/testinput2
-+++ b/testdata/testinput2
-@@ -4158,4 +4158,6 @@ backtracking verbs. --/
-
- "(?J:(?|(?'R')(\k'R')|((?'R'))))"
-
-+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
-+
- /-- End of testinput2 --/
-diff --git a/testdata/testoutput2 b/testdata/testoutput2
-index 5bad26c..6019425 100644
---- a/testdata/testoutput2
-+++ b/testdata/testoutput2
-@@ -14430,4 +14430,6 @@ Failed: unmatched parentheses at offset 23
-
- "(?J:(?|(?'R')(\k'R')|((?'R'))))"
-
-+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
-+
- /-- End of testinput2 --/
---
-2.4.3
-
+++ /dev/null
-From 83ed574998fe7b844b98ab7cd56291068feb9e31 Mon Sep 17 00:00:00 2001
-From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Sat, 16 May 2015 11:05:40 +0000
-Subject: [PATCH] Fix named forward reference to duplicate group number
- overflow bug.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Port to 8.37:
-
-commit 2fa78aa4e42bcebf2d616c4ee89c012f29dc3447
-Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
-Date: Sat May 16 11:05:40 2015 +0000
-
- Fix named forward reference to duplicate group number overflow bug.
-
- git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1559 2f5784b3-3f2a-0410-8824-cb99058d5e15
-
-Signed-off-by: Petr Písař <ppisar@redhat.com>
----
- pcre_compile.c | 24 ++++++++++++++++--------
- testdata/testinput1 | 3 +++
- testdata/testoutput1 | 5 +++++
- 3 files changed, 24 insertions(+), 8 deletions(-)
-
-diff --git a/pcre_compile.c b/pcre_compile.c
-index b66b1f6..8b4aaef 100644
---- a/pcre_compile.c
-+++ b/pcre_compile.c
-@@ -7183,15 +7183,15 @@ for (;; ptr++)
- open_capitem *oc;
- recno = ng->number;
- if (is_recurse) break;
-- for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-- {
-- if (oc->number == recno)
-- {
-- oc->flag = TRUE;
-+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-+ {
-+ if (oc->number == recno)
-+ {
-+ oc->flag = TRUE;
- break;
-- }
-- }
-- }
-+ }
-+ }
-+ }
- }
-
- /* Count named back references. */
-@@ -7203,6 +7203,14 @@ for (;; ptr++)
- 16-bit data item. */
-
- *lengthptr += IMM2_SIZE;
-+
-+ /* If this is a forward reference and we are within a (?|...) group,
-+ the reference may end up as the number of a group which we are
-+ currently inside, that is, it could be a recursive reference. In the
-+ real compile this will be picked up and the reference wrapped with
-+ OP_ONCE to make it atomic, so we must space in case this occurs. */
-+
-+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
- }
-
- /* In the real compile, search the name table. We check the name
-diff --git a/testdata/testinput1 b/testdata/testinput1
-index 73c2f4d..8379ce0 100644
---- a/testdata/testinput1
-+++ b/testdata/testinput1
-@@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz
- "(?1)(?#?'){8}(a)"
- baaaaaaaaac
-
-+"(?|(\k'Pm')|(?'Pm'))"
-+ abcd
-+
- /-- End of testinput1 --/
-diff --git a/testdata/testoutput1 b/testdata/testoutput1
-index 0a53fd0..e852ab9 100644
---- a/testdata/testoutput1
-+++ b/testdata/testoutput1
-@@ -9429,4 +9429,9 @@ No match
- 0: aaaaaaaaa
- 1: a
-
-+"(?|(\k'Pm')|(?'Pm'))"
-+ abcd
-+ 0:
-+ 1:
-+
- /-- End of testinput1 --/
---
-2.4.3
-