summaryrefslogtreecommitdiffstats
path: root/package/pcre/0003-fix-CVE-2016-1283.patch
diff options
context:
space:
mode:
Diffstat (limited to 'package/pcre/0003-fix-CVE-2016-1283.patch')
-rw-r--r--package/pcre/0003-fix-CVE-2016-1283.patch44
1 files changed, 44 insertions, 0 deletions
diff --git a/package/pcre/0003-fix-CVE-2016-1283.patch b/package/pcre/0003-fix-CVE-2016-1283.patch
new file mode 100644
index 0000000000..8a4349c519
--- /dev/null
+++ b/package/pcre/0003-fix-CVE-2016-1283.patch
@@ -0,0 +1,44 @@
+From b7537308b7c758f33c347cb0bec62754c43c271f Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Sat, 27 Feb 2016 17:38:11 +0000
+Subject: [PATCH] Yet another duplicate name bugfix by overestimating the
+ memory needed (i.e. another hack - PCRE2 has this "properly" fixed).
+
+git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15
+
+Signed-off-by: Gustavo Zacarias <gustavo.zacarias@free-electrons.com>
+---
+ ChangeLog | 7 +++++++
+ pcre_compile.c | 7 ++++++-
+ testdata/testinput2 | 2 ++
+ testdata/testoutput2 | 2 ++
+ 4 files changed, 17 insertions(+), 1 deletion(-)
+
+14. And yet another buffer overflow bug involving duplicate named groups, this
+ time nested, with a nested back reference. Yet again, I have just allowed
+ for more memory, because anything more needs all the refactoring that has
+ been done for PCRE2. An example pattern that provoked this bug is:
+ /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was
+ registered as CVE-2016-1283.
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 5019854..4ffea0c 100644
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7311,7 +7311,12 @@ for (;; ptr++)
+ so far in order to get the number. If the name is not found, leave
+ the value of recno as 0 for a forward reference. */
+
+- else
++ /* This patch (removing "else") fixes a problem when a reference is
++ to multiple identically named nested groups from within the nest.
++ Once again, it is not the "proper" fix, and it results in an
++ over-allocation of memory. */
++
++ /* else */
+ {
+ ng = cd->named_groups;
+ for (i = 0; i < cd->names_found; i++, ng++)
+--
+2.7.4
+
OpenPOWER on IntegriCloud