| From b7537308b7c758f33c347cb0bec62754c43c271f Mon Sep 17 00:00:00 2001 |
| From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
| Date: Sat, 27 Feb 2016 17:38:11 +0000 |
| Subject: [PATCH] Yet another duplicate name bugfix by overestimating the |
| memory needed (i.e. another hack - PCRE2 has this "properly" fixed). |
| |
| git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15 |
| --- |
| ChangeLog | 7 +++++++ |
| pcre_compile.c | 7 ++++++- |
| testdata/testinput2 | 2 ++ |
| testdata/testoutput2 | 2 ++ |
| 4 files changed, 17 insertions(+), 1 deletion(-) |
| |
| 14. And yet another buffer overflow bug involving duplicate named groups, this |
| time nested, with a nested back reference. Yet again, I have just allowed |
| for more memory, because anything more needs all the refactoring that has |
| been done for PCRE2. An example pattern that provoked this bug is: |
| /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was |
| registered as CVE-2016-1283. |
| |
| diff --git a/pcre_compile.c b/pcre_compile.c |
| index 5019854..4ffea0c 100644 |
| --- a/pcre_compile.c |
| +++ b/pcre_compile.c |
| @@ -7311,7 +7311,12 @@ for (;; ptr++) |
| so far in order to get the number. If the name is not found, leave |
| the value of recno as 0 for a forward reference. */ |
| |
| - else |
| + /* This patch (removing "else") fixes a problem when a reference is |
| + to multiple identically named nested groups from within the nest. |
| + Once again, it is not the "proper" fix, and it results in an |
| + over-allocation of memory. */ |
| + |
| + /* else */ |
| { |
| ng = cd->named_groups; |
| for (i = 0; i < cd->names_found; i++, ng++) |
| -- |
| 2.7.4 |
| |