Description: CVE-2015-2326: heap buffer overflow in pcre_compile2() Fix bad compilation for patterns like /((?+1)(\1))/ with forward reference subroutine and recursive back reference within the same group. Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1529 Bug: http://bugs.exim.org/show_bug.cgi?id=1592 Bug-Debian: https://bugs.debian.org/783285 Forwarded: not-needed Last-Update: 2015-09-10 Applied-Upstream: 8.36 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -8027,6 +8027,7 @@ int length; unsigned int orig_bracount; unsigned int max_bracount; branch_chain bc; +size_t save_hwm_offset; /* If set, call the external function that checks for stack availability. */ @@ -8044,6 +8045,8 @@ bc.current_branch = code; firstchar = reqchar = 0; firstcharflags = reqcharflags = REQ_UNSET; +save_hwm_offset = cd->hwm - cd->start_workspace; + /* Accumulate the length for use in the pre-compile phase. Start with the length of the BRA and KET and any extra bytes that are required at the beginning. We accumulate in a local variable to save frequent testing of @@ -8246,7 +8249,7 @@ for (;;) { *code = OP_END; adjust_recurse(start_bracket, 1 + LINK_SIZE, - (options & PCRE_UTF8) != 0, cd, cd->hwm - cd->start_workspace); + (options & PCRE_UTF8) != 0, cd, save_hwm_offset); memmove(start_bracket + 1 + LINK_SIZE, start_bracket, IN_UCHARS(code - start_bracket)); *start_bracket = OP_ONCE; --- a/testdata/testinput11 +++ b/testdata/testinput11 @@ -134,4 +134,6 @@ is required for these tests. --/ /(((a\2)|(a*)\g<-1>))*a?/B +/((?+1)(\1))/B + /-- End of testinput11 --/ --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4066,4 +4066,6 @@ backtracking verbs. --/ "((?2){0,1999}())?" +/((?+1)(\1))/BZ + /-- End of testinput2 --/ --- a/testdata/testoutput11-16 +++ b/testdata/testoutput11-16 @@ -733,4 +733,19 @@ Memory allocation (code space): 14 41 End ------------------------------------------------------------------ +/((?+1)(\1))/B +------------------------------------------------------------------ + 0 20 Bra + 2 16 Once + 4 12 CBra 1 + 7 9 Recurse + 9 5 CBra 2 + 12 \1 + 14 5 Ket + 16 12 Ket + 18 16 Ket + 20 20 Ket + 22 End +------------------------------------------------------------------ + /-- End of testinput11 --/ --- a/testdata/testoutput11-32 +++ b/testdata/testoutput11-32 @@ -733,4 +733,19 @@ Memory allocation (code space): 28 41 End ------------------------------------------------------------------ +/((?+1)(\1))/B +------------------------------------------------------------------ + 0 20 Bra + 2 16 Once + 4 12 CBra 1 + 7 9 Recurse + 9 5 CBra 2 + 12 \1 + 14 5 Ket + 16 12 Ket + 18 16 Ket + 20 20 Ket + 22 End +------------------------------------------------------------------ + /-- End of testinput11 --/ --- a/testdata/testoutput11-8 +++ b/testdata/testoutput11-8 @@ -733,4 +733,19 @@ Memory allocation (code space): 10 60 End ------------------------------------------------------------------ +/((?+1)(\1))/B +------------------------------------------------------------------ + 0 31 Bra + 3 25 Once + 6 19 CBra 1 + 11 14 Recurse + 14 8 CBra 2 + 19 \1 + 22 8 Ket + 25 19 Ket + 28 25 Ket + 31 31 Ket + 34 End +------------------------------------------------------------------ + /-- End of testinput11 --/ --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14175,4 +14175,19 @@ Failed: parentheses are too deeply neste "((?2){0,1999}())?" +/((?+1)(\1))/BZ +------------------------------------------------------------------ + Bra + Once + CBra 1 + Recurse + CBra 2 + \1 + Ket + Ket + Ket + Ket + End +------------------------------------------------------------------ + /-- End of testinput2 --/