diff options
author | John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> | 2015-11-02 17:51:13 +0000 |
---|---|---|
committer | John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> | 2015-11-02 17:51:13 +0000 |
commit | 98c3e224a46705936ea39a3830e50299f2ce3c73 (patch) | |
tree | e1245867d3733b5deaf4e41a88a080c3a0b4f59e /debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch |
pcre3 (2:8.35-7.4) unstable; urgency=medium
* Non-maintainer upload.
* Fix copy-and-paste error in Disable_JIT_on_sparc64.patch.
# imported from the archive
Diffstat (limited to 'debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch')
-rw-r--r-- | debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch | 145 |
1 files changed, 145 insertions, 0 deletions
diff --git a/debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch b/debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch new file mode 100644 index 0000000..ed5b5c1 --- /dev/null +++ b/debian/patches/Fix-bad-compilation-for-patterns-like-1-1-with-forwa.patch @@ -0,0 +1,145 @@ +Description: CVE-2015-2326: heap buffer overflow in pcre_compile2() + Fix bad compilation for patterns like /((?+1)(\1))/ with + forward reference subroutine and recursive back reference within the same + group. +Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529 +Bug: http://bugs.exim.org/show_bug.cgi?id=1592 +Bug-Debian: https://bugs.debian.org/783285 +Forwarded: not-needed +Last-Update: 2015-09-10 +Applied-Upstream: 8.36 + +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -8027,6 +8027,7 @@ int length; + unsigned int orig_bracount; + unsigned int max_bracount; + branch_chain bc; ++size_t save_hwm_offset; + + /* If set, call the external function that checks for stack availability. */ + +@@ -8044,6 +8045,8 @@ bc.current_branch = code; + firstchar = reqchar = 0; + firstcharflags = reqcharflags = REQ_UNSET; + ++save_hwm_offset = cd->hwm - cd->start_workspace; ++ + /* Accumulate the length for use in the pre-compile phase. Start with the + length of the BRA and KET and any extra bytes that are required at the + beginning. We accumulate in a local variable to save frequent testing of +@@ -8246,7 +8249,7 @@ for (;;) + { + *code = OP_END; + adjust_recurse(start_bracket, 1 + LINK_SIZE, +- (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace); ++ (options & PCRE_UTF8) != 0, cd, save_hwm_offset); + memmove(start_bracket + 1 + LINK_SIZE, start_bracket, + IN_UCHARS(code - start_bracket)); + *start_bracket = OP_ONCE; +--- a/testdata/testinput11 ++++ b/testdata/testinput11 +@@ -134,4 +134,6 @@ is required for these tests. --/ + + /(((a\2)|(a*)\g<-1>))*a?/B + ++/((?+1)(\1))/B ++ + /-- End of testinput11 --/ +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -4066,4 +4066,6 @@ backtracking verbs. --/ + + "((?2){0,1999}())?" + ++/((?+1)(\1))/BZ ++ + /-- End of testinput2 --/ +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -733,4 +733,19 @@ Memory allocation (code space): 14 + 41 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 20 Bra ++ 2 16 Once ++ 4 12 CBra 1 ++ 7 9 Recurse ++ 9 5 CBra 2 ++ 12 \1 ++ 14 5 Ket ++ 16 12 Ket ++ 18 16 Ket ++ 20 20 Ket ++ 22 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -733,4 +733,19 @@ Memory allocation (code space): 28 + 41 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 20 Bra ++ 2 16 Once ++ 4 12 CBra 1 ++ 7 9 Recurse ++ 9 5 CBra 2 ++ 12 \1 ++ 14 5 Ket ++ 16 12 Ket ++ 18 16 Ket ++ 20 20 Ket ++ 22 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +--- a/testdata/testoutput11-8 ++++ b/testdata/testoutput11-8 +@@ -733,4 +733,19 @@ Memory allocation (code space): 10 + 60 End + ------------------------------------------------------------------ + ++/((?+1)(\1))/B ++------------------------------------------------------------------ ++ 0 31 Bra ++ 3 25 Once ++ 6 19 CBra 1 ++ 11 14 Recurse ++ 14 8 CBra 2 ++ 19 \1 ++ 22 8 Ket ++ 25 19 Ket ++ 28 25 Ket ++ 31 31 Ket ++ 34 End ++------------------------------------------------------------------ ++ + /-- End of testinput11 --/ +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste + + "((?2){0,1999}())?" + ++/((?+1)(\1))/BZ ++------------------------------------------------------------------ ++ Bra ++ Once ++ CBra 1 ++ Recurse ++ CBra 2 ++ \1 ++ Ket ++ Ket ++ Ket ++ Ket ++ End ++------------------------------------------------------------------ ++ + /-- End of testinput2 --/ |