blob: 3c4132bf55b290de148b8fe375fdcece8f399c21 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
Description: CVE-2015-3210: heap buffer overflow in pcre_compile2() / compile_regex()
Fix buffer overflow for named recursive back reference when
the name is duplicated.
Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1558
Bug: https://bugs.exim.org/show_bug.cgi?id=1636
Bug-Debian: https://bugs.debian.org/787433
Forwarded: not-needed
Last-Update: 2015-09-10
Applied-Upstream: not-yet (8.38)
--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -7082,14 +7082,26 @@ for (;; ptr++)
number. If the name is not found, set the value to 0 for a forward
reference. */
+ recno = 0;
ng = cd->named_groups;
for (i = 0; i < cd->names_found; i++, ng++)
{
if (namelen == ng->length &&
STRNCMP_UC_UC(name, ng->name, namelen) == 0)
- break;
+ {
+ open_capitem *oc;
+ recno = ng->number;
+ if (is_recurse) break;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+ {
+ if (oc->number == recno)
+ {
+ oc->flag = TRUE;
+ break;
+ }
+ }
+ }
}
- recno = (i < cd->names_found)? ng->number : 0;
/* Count named back references. */
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4068,4 +4068,6 @@ backtracking verbs. --/
/((?+1)(\1))/BZ
+"(?J)(?'d'(?'d'\g{d}))"
+
/-- End of testinput2 --/
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14190,4 +14190,6 @@ Failed: parentheses are too deeply neste
End
------------------------------------------------------------------
+"(?J)(?'d'(?'d'\g{d}))"
+
/-- End of testinput2 --/
|