From 7a8c5efada4bd9e9b625b041184299d4aff06bd5 Mon Sep 17 00:00:00 2001 From: ph10 Date: Sun, 8 Feb 2015 16:43:13 +0000 Subject: [PATCH 1/3] Fix duplicate names memory calculation error. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Ported to 8.32: commit 46465068f53358d3ae6cca4d9db8d1ed3b9f1928 Author: ph10 Date: Sun Feb 8 16:43:13 2015 +0000 Fix duplicate names memory calculation error. git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1521 2f5784b3-3f2a-0410-8824-cb99058d5e15 Signed-off-by: Petr Písař XXX: Complete fix requires: commit b9a4e4087ac610792118c6dc7c8e83ab313da1ed Author: ph10 Date: Tue Sep 3 10:10:59 2013 +0000 Refactor the code for creating the name/number table. git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1359 2f5784b3-3f2a-0410-8824- cb99058d5e15 Otherwise the CVE-2015-8385 is fixed by `Fix buffer overflow for named references in (?| situations' patch. Signed-off-by: Petr Písař --- pcre_compile.c | 6 ++++++ testdata/testinput2 | 2 ++ testdata/testoutput11-16 | 2 +- testdata/testoutput11-32 | 2 +- testdata/testoutput11-8 | 2 +- testdata/testoutput2 | 2 ++ 6 files changed, 13 insertions(+), 3 deletions(-) diff --git a/pcre_compile.c b/pcre_compile.c index 86cd0c8..4506e56 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -6294,6 +6294,12 @@ for (;; ptr++) (options & PCRE_EXTENDED) != 0, utf); cd->end_pattern = temp; if (recno < 0) recno = 0; /* Forward ref; set dummy number */ + + /* We have to allow for a named reference to a duplicated name (this + cannot be determined until the second pass). This needs an extra + 16-bit data item. */ + + *lengthptr += IMM2_SIZE; } /* In the real compile, seek the name in the table. We check the name diff --git a/testdata/testinput2 b/testdata/testinput2 index e6d0e87..53c4718 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -3818,4 +3818,6 @@ settings of the anchored and startline bits. --/ /(((a\2)|(a*)\g<-1>))*a?/BZ +/(?(?J)(?1(111111)11|)1|1|)(?()1)/ + /-- End of testinput2 --/ diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 index de64e37..4115877 100644 --- a/testdata/testoutput11-16 +++ b/testdata/testoutput11-16 @@ -232,7 +232,7 @@ Memory allocation (code space): 73 ------------------------------------------------------------------ /(?Pa)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 57 +Memory allocation (code space): 61 ------------------------------------------------------------------ 0 24 Bra 2 5 CBra 1 diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 index 0d32e2f..3f66acd 100644 --- a/testdata/testoutput11-32 +++ b/testdata/testoutput11-32 @@ -232,7 +232,7 @@ Memory allocation (code space): 155 ------------------------------------------------------------------ /(?Pa)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 117 +Memory allocation (code space): 125 ------------------------------------------------------------------ 0 24 Bra 2 5 CBra 1 diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 index 9447fb6..27e2c65 100644 --- a/testdata/testoutput11-8 +++ b/testdata/testoutput11-8 @@ -232,7 +232,7 @@ Memory allocation (code space): 45 ------------------------------------------------------------------ /(?Pa)...(?P=a)bbb(?P>a)d/BM -Memory allocation (code space): 34 +Memory allocation (code space): 38 ------------------------------------------------------------------ 0 30 Bra 3 7 CBra 1 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 2a2b577..b0b46d7 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -12515,4 +12515,6 @@ No match End ------------------------------------------------------------------ +/(?(?J)(?1(111111)11|)1|1|)(?()1)/ + /-- End of testinput2 --/ -- 2.5.5