current/SOURCES/pcre-8.37-overflows.patch

diff -urp pcre-8.37.orig/pcre_compile.c pcre-8.37/pcre_compile.c
--- pcre-8.37.orig/pcre_compile.c       2015-04-13 11:54:01.000000000 -0400
+++ pcre-8.37/pcre_compile.c    2015-06-13 15:07:21.344510786 -0400
@@ -1799,7 +1799,7 @@ for (;;)
     case OP_ASSERTBACK:
     case OP_ASSERTBACK_NOT:
     do cc += GET(cc, 1); while (*cc == OP_ALT);
-    cc += PRIV(OP_lengths)[*cc];
+    cc += 1 + LINK_SIZE;
     break;
 
     /* Skip over things that don't match chars */
@@ -6769,7 +6769,7 @@ for (;; ptr++)
             ptr++;
             }
           namelen = (int)(ptr - name);
-          if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
+          if (lengthptr != NULL) skipbytes += IMM2_SIZE;
           }
 
         /* Check the terminator */
@@ -7173,14 +7173,26 @@ for (;; ptr++)
           number. If the name is not found, set the value to 0 for a forward
           reference. */
 
+          recno = 0;
           ng = cd->named_groups;
           for (i = 0; i < cd->names_found; i++, ng++)
             {
             if (namelen == ng->length &&
                 STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-              break;
+              {
+              open_capitem *oc;
+              recno = ng->number;
+              if (is_recurse) break;
+              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+                {
+                if (oc->number == recno)
+                  {
+                  oc->flag = TRUE;
+                  break;
+                  }
+                }
+              }
             }
-          recno = (i < cd->names_found)? ng->number : 0;
 
           /* Count named back references. */
 
@@ -7191,6 +7203,19 @@ for (;; ptr++)
           16-bit data item. */
 
           *lengthptr += IMM2_SIZE;
+
+          /* If this is a forward reference and we are within a (?|...) group,
+          the reference may end up as the number of a group which we are
+          currently inside, that is, it could be a recursive reference. In the
+          real compile this will be picked up and the reference wrapped with
+          OP_ONCE to make it atomic, so we must space in case this occurs. */
+
+          /* In fact, this can happen for a non-forward reference because
+          another group with the same number might be created later. This
+          issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
+          only mode, we finesse the bug by allowing more memory always. */
+
+          /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
           }
 
         /* In the real compile, search the name table. We check the name
@@ -7323,7 +7348,15 @@ for (;; ptr++)
 
           recno = 0;
           while(IS_DIGIT(*ptr))
+            {
+            if (recno > INT_MAX / 10 - 1) /* Integer overflow */            
+              {                                                             
+              while (IS_DIGIT(*ptr)) ptr++;                                 
+              *errorcodeptr = ERR61;                                        
+              goto FAILED;                                                  
+              }
             recno = recno * 10 + *ptr++ - CHAR_0;
+            } 
 
           if (*ptr != (pcre_uchar)terminator)
             {
diff -urp pcre-8.37.orig/pcre_exec.c pcre-8.37/pcre_exec.c
--- pcre-8.37.orig/pcre_exec.c  2015-04-08 12:59:58.000000000 -0400
+++ pcre-8.37/pcre_exec.c       2015-06-13 15:07:37.584560377 -0400
@@ -6685,7 +6685,8 @@ if (md->offset_vector != NULL)
   register int *iend = iptr - re->top_bracket;
   if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
   while (--iptr >= iend) *iptr = -1;
-  md->offset_vector[0] = md->offset_vector[1] = -1;
+  if (offsetcount > 0) md->offset_vector[0] = -1;
+  if (offsetcount > 1) md->offset_vector[1] = -1;
   }
 
 /* Set up the first character to match, if available. The first_char value is
diff -urp pcre-8.37.orig/testdata/testinput1 pcre-8.37/testdata/testinput1
--- pcre-8.37.orig/testdata/testinput1  2015-03-29 07:25:15.000000000 -0400
+++ pcre-8.37/testdata/testinput1       2015-06-13 15:10:02.994985765 -0400
@@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz
 "(?1)(?#?'){8}(a)"
     baaaaaaaaac
 
+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+
 /-- End of testinput1 --/
diff -urp pcre-8.37.orig/testdata/testinput2 pcre-8.37/testdata/testinput2
--- pcre-8.37.orig/testdata/testinput2  2015-04-13 05:36:15.000000000 -0400
+++ pcre-8.37/testdata/testinput2       2015-06-13 15:08:36.054734708 -0400
@@ -4152,4 +4152,22 @@ backtracking verbs. --/
 
 /((?2){73}(?2))((?1))/
 
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
+"(?J)(?'d'(?'d'\g{d}))"
+
+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+
+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+
+//
+\O1
+
 /-- End of testinput2 --/
diff -urp pcre-8.37.orig/testdata/testoutput1 pcre-8.37/testdata/testoutput1
--- pcre-8.37.orig/testdata/testoutput1 2015-03-29 07:25:26.000000000 -0400
+++ pcre-8.37/testdata/testoutput1      2015-06-13 15:10:41.015093667 -0400
@@ -9429,4 +9429,9 @@ No match
  0: aaaaaaaaa
  1: a
 
+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+ 0: 
+ 1: 
+
 /-- End of testinput1 --/
diff -urp pcre-8.37.orig/testdata/testoutput11-16 pcre-8.37/testdata/testoutput11-16
--- pcre-8.37.orig/testdata/testoutput11-16     2015-03-02 12:09:21.000000000 -0500
+++ pcre-8.37/testdata/testoutput11-16  2015-06-13 15:11:07.935169610 -0400
@@ -231,7 +231,7 @@ Memory allocation (code space): 73
 ------------------------------------------------------------------
 
 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 61
+Memory allocation (code space): 77
 ------------------------------------------------------------------
   0  24 Bra
   2   5 CBra 1
diff -urp pcre-8.37.orig/testdata/testoutput11-32 pcre-8.37/testdata/testoutput11-32
--- pcre-8.37.orig/testdata/testoutput11-32     2015-03-02 12:09:30.000000000 -0500
+++ pcre-8.37/testdata/testoutput11-32  2015-06-13 15:11:25.475218926 -0400
@@ -231,7 +231,7 @@ Memory allocation (code space): 155
 ------------------------------------------------------------------
 
 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 125
+Memory allocation (code space): 157
 ------------------------------------------------------------------
   0  24 Bra
   2   5 CBra 1
diff -urp pcre-8.37.orig/testdata/testoutput11-8 pcre-8.37/testdata/testoutput11-8
--- pcre-8.37.orig/testdata/testoutput11-8      2015-03-02 12:09:13.000000000 -0500
+++ pcre-8.37/testdata/testoutput11-8   2015-06-13 15:11:41.425263677 -0400
@@ -231,7 +231,7 @@ Memory allocation (code space): 45
 ------------------------------------------------------------------
 
 /(?P<a>a)...(?P=a)bbb(?P>a)d/BM
-Memory allocation (code space): 38
+Memory allocation (code space): 50
 ------------------------------------------------------------------
   0  30 Bra
   3   7 CBra 1
diff -urp pcre-8.37.orig/testdata/testoutput2 pcre-8.37/testdata/testoutput2
--- pcre-8.37.orig/testdata/testoutput2 2015-04-13 05:36:27.000000000 -0400
+++ pcre-8.37/testdata/testoutput2      2015-06-13 15:09:30.764893523 -0400
@@ -14423,4 +14423,24 @@ Failed: lookbehind assertion is not fixe
 
 /((?2){73}(?2))((?1))/
 
+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
+
+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
+
+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
+
+"(?J)(?'d'(?'d'\g{d}))"
+
+".*?\h.+.\.+\R*?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
+
+"(?J:(?|(?'R')(\k'R')|((?'R'))))"
+
+/(?<=|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
+Failed: number is too big at offset 32
+
+//
+\O1
+Matched, but too many substrings
+
 /-- End of testinput2 --/
1	diff -urp pcre-8.37.orig/pcre_compile.c pcre-8.37/pcre_compile.c
2	--- pcre-8.37.orig/pcre_compile.c 2015-04-13 11:54:01.000000000 -0400
3	+++ pcre-8.37/pcre_compile.c 2015-06-13 15:07:21.344510786 -0400
4	@@ -1799,7 +1799,7 @@ for (;;)
5	case OP_ASSERTBACK:
6	case OP_ASSERTBACK_NOT:
7	do cc += GET(cc, 1); while (*cc == OP_ALT);
8	- cc += PRIV(OP_lengths)[*cc];
9	+ cc += 1 + LINK_SIZE;
10	break;
11
12	/* Skip over things that don't match chars */
13	@@ -6769,7 +6769,7 @@ for (;; ptr++)
14	ptr++;
15	}
16	namelen = (int)(ptr - name);
17	- if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
18	+ if (lengthptr != NULL) skipbytes += IMM2_SIZE;
19	}
20
21	/* Check the terminator */
22	@@ -7173,14 +7173,26 @@ for (;; ptr++)
23	number. If the name is not found, set the value to 0 for a forward
24	reference. */
25
26	+ recno = 0;
27	ng = cd->named_groups;
28	for (i = 0; i < cd->names_found; i++, ng++)
29	{
30	if (namelen == ng->length &&
31	STRNCMP_UC_UC(name, ng->name, namelen) == 0)
32	- break;
33	+ {
34	+ open_capitem *oc;
35	+ recno = ng->number;
36	+ if (is_recurse) break;
37	+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
38	+ {
39	+ if (oc->number == recno)
40	+ {
41	+ oc->flag = TRUE;
42	+ break;
43	+ }
44	+ }
45	+ }
46	}
47	- recno = (i < cd->names_found)? ng->number : 0;
48
49	/* Count named back references. */
50
51	@@ -7191,6 +7203,19 @@ for (;; ptr++)
52	16-bit data item. */
53
54	*lengthptr += IMM2_SIZE;
55	+
56	+ /* If this is a forward reference and we are within a (?\|...) group,
57	+ the reference may end up as the number of a group which we are
58	+ currently inside, that is, it could be a recursive reference. In the
59	+ real compile this will be picked up and the reference wrapped with
60	+ OP_ONCE to make it atomic, so we must space in case this occurs. */
61	+
62	+ /* In fact, this can happen for a non-forward reference because
63	+ another group with the same number might be created later. This
64	+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
65	+ only mode, we finesse the bug by allowing more memory always. */
66	+
67	+ /* if (recno == 0) / lengthptr += 2 + 2*LINK_SIZE;
68	}
69
70	/* In the real compile, search the name table. We check the name
71	@@ -7323,7 +7348,15 @@ for (;; ptr++)
72
73	recno = 0;
74	while(IS_DIGIT(*ptr))
75	+ {
76	+ if (recno > INT_MAX / 10 - 1) /* Integer overflow */
77	+ {
78	+ while (IS_DIGIT(*ptr)) ptr++;
79	+ *errorcodeptr = ERR61;
80	+ goto FAILED;
81	+ }
82	recno = recno * 10 + *ptr++ - CHAR_0;
83	+ }
84
85	if (*ptr != (pcre_uchar)terminator)
86	{
87	diff -urp pcre-8.37.orig/pcre_exec.c pcre-8.37/pcre_exec.c
88	--- pcre-8.37.orig/pcre_exec.c 2015-04-08 12:59:58.000000000 -0400
89	+++ pcre-8.37/pcre_exec.c 2015-06-13 15:07:37.584560377 -0400
90	@@ -6685,7 +6685,8 @@ if (md->offset_vector != NULL)
91	register int *iend = iptr - re->top_bracket;
92	if (iend < md->offset_vector + 2) iend = md->offset_vector + 2;
93	while (--iptr >= iend) *iptr = -1;
94	- md->offset_vector[0] = md->offset_vector[1] = -1;
95	+ if (offsetcount > 0) md->offset_vector[0] = -1;
96	+ if (offsetcount > 1) md->offset_vector[1] = -1;
97	}
98
99	/* Set up the first character to match, if available. The first_char value is
100	diff -urp pcre-8.37.orig/testdata/testinput1 pcre-8.37/testdata/testinput1
101	--- pcre-8.37.orig/testdata/testinput1 2015-03-29 07:25:15.000000000 -0400
102	+++ pcre-8.37/testdata/testinput1 2015-06-13 15:10:02.994985765 -0400
103	@@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz
104	"(?1)(?#?'){8}(a)"
105	baaaaaaaaac
106
107	+"(?\|(\k'Pm')\|(?'Pm'))"
108	+ abcd
109	+
110	/-- End of testinput1 --/
111	diff -urp pcre-8.37.orig/testdata/testinput2 pcre-8.37/testdata/testinput2
112	--- pcre-8.37.orig/testdata/testinput2 2015-04-13 05:36:15.000000000 -0400
113	+++ pcre-8.37/testdata/testinput2 2015-06-13 15:08:36.054734708 -0400
114	@@ -4152,4 +4152,22 @@ backtracking verbs. --/
115
116	/((?2){73}(?2))((?1))/
117
118	+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
119	+
120	+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
121	+
122	+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
123	+
124	+"(?J)(?'d'(?'d'\g{d}))"
125	+
126	+".?\h.+.\.+\R?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
127	+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
128	+
129	+"(?J:(?\|(?'R')(\k'R')\|((?'R'))))"
130	+
131	+/(?<=\|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
132	+
133	+//
134	+\O1
135	+
136	/-- End of testinput2 --/
137	diff -urp pcre-8.37.orig/testdata/testoutput1 pcre-8.37/testdata/testoutput1
138	--- pcre-8.37.orig/testdata/testoutput1 2015-03-29 07:25:26.000000000 -0400
139	+++ pcre-8.37/testdata/testoutput1 2015-06-13 15:10:41.015093667 -0400
140	@@ -9429,4 +9429,9 @@ No match
141	0: aaaaaaaaa
142	1: a
143
144	+"(?\|(\k'Pm')\|(?'Pm'))"
145	+ abcd
146	+ 0:
147	+ 1:
148	+
149	/-- End of testinput1 --/
150	diff -urp pcre-8.37.orig/testdata/testoutput11-16 pcre-8.37/testdata/testoutput11-16
151	--- pcre-8.37.orig/testdata/testoutput11-16 2015-03-02 12:09:21.000000000 -0500
152	+++ pcre-8.37/testdata/testoutput11-16 2015-06-13 15:11:07.935169610 -0400
153	@@ -231,7 +231,7 @@ Memory allocation (code space): 73
154	------------------------------------------------------------------
155
156	/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
157	-Memory allocation (code space): 61
158	+Memory allocation (code space): 77
159	------------------------------------------------------------------
160	0 24 Bra
161	2 5 CBra 1
162	diff -urp pcre-8.37.orig/testdata/testoutput11-32 pcre-8.37/testdata/testoutput11-32
163	--- pcre-8.37.orig/testdata/testoutput11-32 2015-03-02 12:09:30.000000000 -0500
164	+++ pcre-8.37/testdata/testoutput11-32 2015-06-13 15:11:25.475218926 -0400
165	@@ -231,7 +231,7 @@ Memory allocation (code space): 155
166	------------------------------------------------------------------
167
168	/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
169	-Memory allocation (code space): 125
170	+Memory allocation (code space): 157
171	------------------------------------------------------------------
172	0 24 Bra
173	2 5 CBra 1
174	diff -urp pcre-8.37.orig/testdata/testoutput11-8 pcre-8.37/testdata/testoutput11-8
175	--- pcre-8.37.orig/testdata/testoutput11-8 2015-03-02 12:09:13.000000000 -0500
176	+++ pcre-8.37/testdata/testoutput11-8 2015-06-13 15:11:41.425263677 -0400
177	@@ -231,7 +231,7 @@ Memory allocation (code space): 45
178	------------------------------------------------------------------
179
180	/(?P<a>a)...(?P=a)bbb(?P>a)d/BM
181	-Memory allocation (code space): 38
182	+Memory allocation (code space): 50
183	------------------------------------------------------------------
184	0 30 Bra
185	3 7 CBra 1
186	diff -urp pcre-8.37.orig/testdata/testoutput2 pcre-8.37/testdata/testoutput2
187	--- pcre-8.37.orig/testdata/testoutput2 2015-04-13 05:36:27.000000000 -0400
188	+++ pcre-8.37/testdata/testoutput2 2015-06-13 15:09:30.764893523 -0400
189	@@ -14423,4 +14423,24 @@ Failed: lookbehind assertion is not fixe
190
191	/((?2){73}(?2))((?1))/
192
193	+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
194	+
195	+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
196	+
197	+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
198	+
199	+"(?J)(?'d'(?'d'\g{d}))"
200	+
201	+".?\h.+.\.+\R?\xd(?i)(?=!(?=b`b`b`\`b\xa9b!)`\a`bbbbbbbbbbbbb`bbbbbbbbbbbb*R\x85bbbbbbb\C?{((?2)(?))((
202	+\H){8(?<=(?1){29}\xa8bbbb\x16\xd\xc6^($(?<! )(\xa9H4){4}h}1)B))\x15')"
203	+
204	+"(?J:(?\|(?'R')(\k'R')\|((?'R'))))"
205	+
206	+/(?<=\|(\,\$(?73591620449005828816)\xa8.{7}){6}\x09)/
207	+Failed: number is too big at offset 32
208	+
209	+//
210	+\O1
211	+Matched, but too many substrings
212	+
213	/-- End of testinput2 --/