/[packages]/cauldron/pcre/current/SOURCES/pcre-8.37-overflows.patch
ViewVC logotype

Contents of /cauldron/pcre/current/SOURCES/pcre-8.37-overflows.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 823076 - (show annotations) (download)
Sat Jun 13 19:25:22 2015 UTC (5 years, 1 month ago) by luigiwalser
File size: 7933 byte(s)
add upstream patches to fix various overflow issues including CVE-2015-321[07]
1 diff -urp pcre-8.37.orig/pcre_compile.c pcre-8.37/pcre_compile.c
2 --- pcre-8.37.orig/pcre_compile.c 2015-04-13 11:54:01.000000000 -0400
3 +++ pcre-8.37/pcre_compile.c 2015-06-13 15:07:21.344510786 -0400
4 @@ -1799,7 +1799,7 @@ for (;;)
5 case OP_ASSERTBACK:
6 case OP_ASSERTBACK_NOT:
7 do cc += GET(cc, 1); while (*cc == OP_ALT);
8 - cc += PRIV(OP_lengths)[*cc];
9 + cc += 1 + LINK_SIZE;
10 break;
11
12 /* Skip over things that don't match chars */
13 @@ -6769,7 +6769,7 @@ for (;; ptr++)
14 ptr++;
15 }
16 namelen = (int)(ptr - name);
17 - if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
18 + if (lengthptr != NULL) skipbytes += IMM2_SIZE;
19 }
20
21 /* Check the terminator */
22 @@ -7173,14 +7173,26 @@ for (;; ptr++)
23 number. If the name is not found, set the value to 0 for a forward
24 reference. */
25
26 + recno = 0;
27 ng = cd->named_groups;
28 for (i = 0; i < cd->names_found; i++, ng++)
29 {
30 if (namelen == ng->length &&
31 STRNCMP_UC_UC(name, ng->name, namelen) == 0)
32 - break;
33 + {
34 + open_capitem *oc;
35 + recno = ng->number;
36 + if (is_recurse) break;
37 + for (oc = cd->open_caps; oc != NULL; oc = oc->next)
38 + {
39 + if (oc->number == recno)
40 + {
41 + oc->flag = TRUE;
42 + break;
43 + }
44 + }
45 + }
46 }
47 - recno = (i < cd->names_found)? ng->number : 0;
48
49 /* Count named back references. */
50
51 @@ -7191,6 +7203,19 @@ for (;; ptr++)
52 16-bit data item. */
53
54 *lengthptr += IMM2_SIZE;
55 +
56 + /* If this is a forward reference and we are within a (?|...) group,
57 + the reference may end up as the number of a group which we are
58 + currently inside, that is, it could be a recursive reference. In the
59 + real compile this will be picked up and the reference wrapped with
60 + OP_ONCE to make it atomic, so we must space in case this occurs. */
61 +
62 + /* In fact, this can happen for a non-forward reference because
63 + another group with the same number might be created later. This
64 + issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
65 + only mode, we finesse the bug by allowing more memory always. */
66 +
67 + /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
68 }
69
70 /* In the real compile, search the name table. We check the name
71 @@ -7323,7 +7348,15 @@ for (;; ptr++)
72
73 recno = 0;
74 while(IS_DIGIT(*ptr))
75 + {
76 + if (recno > INT_MAX / 10 - 1) /* Integer overflow */
77 + {
78 + while (IS_DIGIT(*ptr)) ptr++;
79 + *errorcodeptr = ERR61;
80 + goto FAILED;
81 + }
82 recno = recno * 10 + *ptr++ - CHAR_0;
83 + }
84
85 if (*ptr != (pcre_uchar)terminator)
86 {
87 diff -urp pcre-8.37.orig/pcre_exec.c pcre-8.37/pcre_exec.c
88 --- pcre-8.37.orig/pcre_exec.c 2015-04-08 12:59:58.000000000 -0400
89 +++ pcre-8.37/pcre_exec.c 2015-06-13 15:07:37.584560377 -0400
90 @@ -6685,7 +6685,8 @@ if (md->offset_vector != NULL)
91 register int *iend = iptr - re->top_bracket;
92 if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
93 while (--iptr >= iend) *iptr = -1;
94 - md->offset_vector[0] = md->offset_vector[1] = -1;
95 + if (offsetcount > 0) md->offset_vector[0] = -1;
96 + if (offsetcount > 1) md->offset_vector[1] = -1;
97 }
98
99 /* Set up the first character to match, if available. The first_char value is
100 diff -urp pcre-8.37.orig/testdata/testinput1 pcre-8.37/testdata/testinput1
101 --- pcre-8.37.orig/testdata/testinput1 2015-03-29 07:25:15.000000000 -0400
102 +++ pcre-8.37/testdata/testinput1 2015-06-13 15:10:02.994985765 -0400
103 @@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz
104 "(?1)(?#?'){8}(a)"
105 baaaaaaaaac
106
107 +"(?|(\k'Pm')|(?'Pm'))"
108 + abcd
109 +
110 /-- End of testinput1 --/
111 diff -urp pcre-8.37.orig/testdata/testinput2 pcre-8.37/testdata/testinput2
112 --- pcre-8.37.orig/testdata/testinput2 2015-04-13 05:36:15.000000000 -0400
113 +++ pcre-8.37/testdata/testinput2 2015-06-13 15:08:36.054734708 -0400
114 @@ -4152,4 +4152,22 @@ backtracking verbs. --/
115
116 /((?2){73}(?2))((?1))/
117
118 +/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
119 +
120 +/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
121 +
122 +/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
123 +
124 +"(?J)(?'d'(?'d'\g{d}))"
125 +
126 +".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
127 +\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
128 +
129 +"(?J:(?|(?'R')(\k'R')|((?'R'))))"
130 +
131 +/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
132 +
133 +//
134 +\O1
135 +
136 /-- End of testinput2 --/
137 diff -urp pcre-8.37.orig/testdata/testoutput1 pcre-8.37/testdata/testoutput1
138 --- pcre-8.37.orig/testdata/testoutput1 2015-03-29 07:25:26.000000000 -0400
139 +++ pcre-8.37/testdata/testoutput1 2015-06-13 15:10:41.015093667 -0400
140 @@ -9429,4 +9429,9 @@ No match
141 0: aaaaaaaaa
142 1: a
143
144 +"(?|(\k'Pm')|(?'Pm'))"
145 + abcd
146 + 0:
147 + 1:
148 +
149 /-- End of testinput1 --/
150 diff -urp pcre-8.37.orig/testdata/testoutput11-16 pcre-8.37/testdata/testoutput11-16
151 --- pcre-8.37.orig/testdata/testoutput11-16 2015-03-02 12:09:21.000000000 -0500
152 +++ pcre-8.37/testdata/testoutput11-16 2015-06-13 15:11:07.935169610 -0400
153 @@ -231,7 +231,7 @@ Memory allocation (code space): 73
154 ------------------------------------------------------------------
155
156 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
157 -Memory allocation (code space): 61
158 +Memory allocation (code space): 77
159 ------------------------------------------------------------------
160 0 24 Bra
161 2 5 CBra 1
162 diff -urp pcre-8.37.orig/testdata/testoutput11-32 pcre-8.37/testdata/testoutput11-32
163 --- pcre-8.37.orig/testdata/testoutput11-32 2015-03-02 12:09:30.000000000 -0500
164 +++ pcre-8.37/testdata/testoutput11-32 2015-06-13 15:11:25.475218926 -0400
165 @@ -231,7 +231,7 @@ Memory allocation (code space): 155
166 ------------------------------------------------------------------
167
168 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
169 -Memory allocation (code space): 125
170 +Memory allocation (code space): 157
171 ------------------------------------------------------------------
172 0 24 Bra
173 2 5 CBra 1
174 diff -urp pcre-8.37.orig/testdata/testoutput11-8 pcre-8.37/testdata/testoutput11-8
175 --- pcre-8.37.orig/testdata/testoutput11-8 2015-03-02 12:09:13.000000000 -0500
176 +++ pcre-8.37/testdata/testoutput11-8 2015-06-13 15:11:41.425263677 -0400
177 @@ -231,7 +231,7 @@ Memory allocation (code space): 45
178 ------------------------------------------------------------------
179
180 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
181 -Memory allocation (code space): 38
182 +Memory allocation (code space): 50
183 ------------------------------------------------------------------
184 0 30 Bra
185 3 7 CBra 1
186 diff -urp pcre-8.37.orig/testdata/testoutput2 pcre-8.37/testdata/testoutput2
187 --- pcre-8.37.orig/testdata/testoutput2 2015-04-13 05:36:27.000000000 -0400
188 +++ pcre-8.37/testdata/testoutput2 2015-06-13 15:09:30.764893523 -0400
189 @@ -14423,4 +14423,24 @@ Failed: lookbehind assertion is not fixe
190
191 /((?2){73}(?2))((?1))/
192
193 +/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
194 +
195 +/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
196 +
197 +/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
198 +
199 +"(?J)(?'d'(?'d'\g{d}))"
200 +
201 +".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
202 +\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
203 +
204 +"(?J:(?|(?'R')(\k'R')|((?'R'))))"
205 +
206 +/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
207 +Failed: number is too big at offset 32
208 +
209 +//
210 +\O1
211 +Matched, but too many substrings
212 +
213 /-- End of testinput2 --/

  ViewVC Help
Powered by ViewVC 1.1.28