diff options
| author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2016-02-27 17:38:11 +0000 |
|---|---|---|
| committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2016-02-27 17:38:11 +0000 |
| commit | b7537308b7c758f33c347cb0bec62754c43c271f (patch) | |
| tree | c6abb39ad75bd82d205f442d621e8eeced153e89 | |
| parent | 8c43961443e3dc5618c3941355e29e504cf2afda (diff) | |
| download | pcre-b7537308b7c758f33c347cb0bec62754c43c271f.tar.gz | |
Yet another duplicate name bugfix by overestimating the memory needed (i.e.
another hack - PCRE2 has this "properly" fixed).
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | pcre_compile.c | 7 | ||||
| -rw-r--r-- | testdata/testinput2 | 2 | ||||
| -rw-r--r-- | testdata/testoutput2 | 2 |
4 files changed, 17 insertions, 1 deletions
@@ -53,6 +53,13 @@ Version 8.39 xx-xxxxxx-201x 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply nested set of parentheses of sufficient size caused an overflow of the compiling workspace (which was diagnosed, but of course is not desirable). + +14. And yet another buffer overflow bug involving duplicate named groups, this + time nested, with a nested back reference. Yet again, I have just allowed + for more memory, because anything more needs all the refactoring that has + been done for PCRE2. An example pattern that provoked this bug is: + /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was + registered as CVE-2016-1283. Version 8.38 23-November-2015 diff --git a/pcre_compile.c b/pcre_compile.c index 5019854..4ffea0c 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -7311,7 +7311,12 @@ for (;; ptr++) so far in order to get the number. If the name is not found, leave the value of recno as 0 for a forward reference. */ - else + /* This patch (removing "else") fixes a problem when a reference is + to multiple identically named nested groups from within the nest. + Once again, it is not the "proper" fix, and it results in an + over-allocation of memory. */ + + /* else */ { ng = cd->named_groups; for (i = 0; i < cd->names_found; i++, ng++) diff --git a/testdata/testinput2 b/testdata/testinput2 index 086e0f4..c805f5f 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4239,4 +4239,6 @@ backtracking verbs. --/ 9010 abcd +/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index d414a72..800a72f 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14665,4 +14665,6 @@ Start of matched string is beyond its end - displaying from end to start. 0 ^ 0 No match +/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ + /-- End of testinput2 --/ |