Fix a heap overflow when compiling certain expression with named references

2015-08-25 14:29:26 +02:00 · 2015-08-25 14:29:26 +02:00 · 0bdeea6db5
commit 0bdeea6db5
parent 2a7934eb8a
2 changed files with 89 additions and 1 deletions
--- a/pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
+++ b/pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
@ -0,0 +1,79 @@
+From cf3a19441dc85daf8f91d5b84f42021dc1007251 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Fri, 21 Aug 2015 16:08:33 +0000
+Subject: [PATCH] Hack in yet other patch for a bug in size computation that is
+ fixed "properly" in PCRE2.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Upstream commit ported to 8.37:
+
+commit f25903ade90a9177cf1175eb48fb36e500b3cca4
+Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date:   Fri Aug 21 16:08:33 2015 +0000
+
+    Hack in yet other patch for a bug in size computation that is fixed "properly"
+    in PCRE2.
+
+    git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1594 2f5784b3-3f2a-0410-8824-cb99058d5e15
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_compile.c       | 5 ++---
+ testdata/testinput2  | 2 ++
+ testdata/testoutput2 | 2 ++
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 5fe5c1d..681d2a1 100644
+--- a/pcre_compile.c
+++ b/pcre_compile.c
+@@ -7200,7 +7200,7 @@ for (;; ptr++)
+           encountered. In that case, we allow yet more memory, just in case. 
+           (Again, this is fixed "properly" in PCRE2. */
+           
+-          if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
+          if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE;
+ 
+           /* Otherwise, check for recursion here. The name table does not exist
+           in the first pass; instead we must scan the list of names encountered
+@@ -9403,7 +9403,7 @@ used in this code because at least one compiler gives a warning about loss of
+ "const" attribute if the cast (pcre_uchar *)codestart is used directly in the
+ function call. */
+ 
+-if ((options & PCRE_NO_AUTO_POSSESS) == 0)
+if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0)
+   {
+   pcre_uchar *temp = (pcre_uchar *)codestart;
+   auto_possessify(temp, utf, cd);
+@@ -9630,4 +9630,3 @@ return (pcre32 *)re;
+ }
+ 
+ /* End of pcre_compile.c */
+-
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 8e044f8..feca135 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -4160,4 +4160,6 @@ backtracking verbs. --/
+ 
+ /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
+ 
+/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
+
+ /-- End of testinput2 --/
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 6019425..3b06f85 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -14432,4 +14432,6 @@ Failed: unmatched parentheses at offset 23
+ 
+ /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/
+ 
+/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
+
+ /-- End of testinput2 --/
+-- 
+2.4.3
+
--- a/pcre.spec
+++ b/pcre.spec
@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name: pcre
 Version: 8.37
-Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}
+Release: %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist}
 %global myversion %{version}%{?rcversion:-%rcversion}
 Summary: Perl-compatible regular expression library
 Group: System Environment/Libraries
@ -45,6 +45,10 @@ Patch5: pcre-8.37-Fix-another-buffer-overflow.patch
 # <https://bugs.exim.org/show_bug.cgi?id=1667>, bug #1250946,
 # in upstream after 8.37
 Patch6: pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch
+# Fix a heap overflow when compiling certain expression with named references,
+# <https://bugs.exim.org/show_bug.cgi?id=1672>, bug #1256452,
+# in upstream after 8.37
+Patch7: pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
 BuildRequires: readline-devel
 # New libtool to get rid of rpath
 BuildRequires: autoconf, automake, libtool
@ -91,6 +95,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
 # Because of rpath patch
 libtoolize --copy --force && autoreconf -vif
 # One contributor's name is non-UTF-8
@ -161,6 +166,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcretest.*

 %changelog
+* Tue Aug 25 2015 Petr Pisar <ppisar@redhat.com> - 8.37-4
+- Fix a heap overflow when compiling certain expression with named references
+  (bug #1256452)
+
 * Thu Aug 06 2015 Petr Pisar <ppisar@redhat.com> - 8.37-3
 - Fix a buffer overflow with duplicated named groups with a reference between
  their definition, with a group that reset capture numbers