Fix possible crash in pcre_copy_named_substring() if a named substring has number greater than the space in the ovector

2015-12-07 09:16:58 +01:00 · 2015-12-07 09:16:58 +01:00 · 208e1de173
commit 208e1de173
parent 438035079e
2 changed files with 109 additions and 1 deletions
--- a/pcre-8.38-Fix-copy-named-substring-bug.patch
+++ b/pcre-8.38-Fix-copy-named-substring-bug.patch
@ -0,0 +1,99 @@
+From db1fb68feddc9afe6f8822d099fa9ff25e3ea8e7 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Sat, 5 Dec 2015 16:30:14 +0000
+Subject: [PATCH] Fix copy named substring bug.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1618 2f5784b3-3f2a-0410-8824-cb99058d5e15
+
+Petr Písař: Ported to 8.38.
+diff --git a/pcre_get.c b/pcre_get.c
+index 8094b34..41eda9c 100644
+--- a/pcre_get.c
+++ b/pcre_get.c
+@@ -250,6 +250,7 @@ Arguments:
+   code         the compiled regex
+   stringname   the name of the capturing substring
+   ovector      the vector of matched substrings
+  stringcount  number of captured substrings 
+ 
+ Returns:       the number of the first that is set,
+                or the number of the last one if none are set,
+@@ -258,13 +259,16 @@ Returns:       the number of the first that is set,
+ 
+ #if defined COMPILE_PCRE8
+ static int
+-get_first_set(const pcre *code, const char *stringname, int *ovector)
+get_first_set(const pcre *code, const char *stringname, int *ovector,
+  int stringcount)
+ #elif defined COMPILE_PCRE16
+ static int
+-get_first_set(const pcre16 *code, PCRE_SPTR16 stringname, int *ovector)
+get_first_set(const pcre16 *code, PCRE_SPTR16 stringname, int *ovector,
+  int stringcount)
+ #elif defined COMPILE_PCRE32
+ static int
+-get_first_set(const pcre32 *code, PCRE_SPTR32 stringname, int *ovector)
+get_first_set(const pcre32 *code, PCRE_SPTR32 stringname, int *ovector,
+  int stringcount)
+ #endif
+ {
+ const REAL_PCRE *re = (const REAL_PCRE *)code;
+@@ -295,7 +299,7 @@ if (entrysize <= 0) return entrysize;
+ for (entry = (pcre_uchar *)first; entry <= (pcre_uchar *)last; entry += entrysize)
+   {
+   int n = GET2(entry, 0);
+-  if (ovector[n*2] >= 0) return n;
+  if (n < stringcount && ovector[n*2] >= 0) return n;
+   }
+ return GET2(entry, 0);
+ }
+@@ -402,7 +406,7 @@ pcre32_copy_named_substring(const pcre32 *code, PCRE_SPTR32 subject,
+   PCRE_UCHAR32 *buffer, int size)
+ #endif
+ {
+-int n = get_first_set(code, stringname, ovector);
+int n = get_first_set(code, stringname, ovector, stringcount);
+ if (n <= 0) return n;
+ #if defined COMPILE_PCRE8
+ return pcre_copy_substring(subject, ovector, stringcount, n, buffer, size);
+@@ -619,7 +623,7 @@ pcre32_get_named_substring(const pcre32 *code, PCRE_SPTR32 subject,
+   PCRE_SPTR32 *stringptr)
+ #endif
+ {
+-int n = get_first_set(code, stringname, ovector);
+int n = get_first_set(code, stringname, ovector, stringcount);
+ if (n <= 0) return n;
+ #if defined COMPILE_PCRE8
+ return pcre_get_substring(subject, ovector, stringcount, n, stringptr);
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 3a1134f..00ffe32 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -4229,4 +4229,7 @@ backtracking verbs. --/
+ 
+ /()\Q\E*]/BCZ
+ 
+/(?<A>)(?J:(?<B>)(?<B>))(?<C>)/
+    \O\CC
+
+ /-- End of testinput2 --/
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 6c42897..ffb4466 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -14639,4 +14639,9 @@ No match
+         End
+ ------------------------------------------------------------------
+ 
+/(?<A>)(?J:(?<B>)(?<B>))(?<C>)/
+    \O\CC
+Matched, but too many substrings
+copy substring C failed -7
+
+ /-- End of testinput2 --/
+-- 
+2.4.3
+
--- a/pcre.spec
+++ b/pcre.spec
@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name:       pcre
 Version:    8.38
-Release:    %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}5%{?rcversion:.%rcversion}%{?dist}
 %global myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 Group:      System Environment/Libraries
@ -55,6 +55,10 @@ Patch7:     pcre-8.38-Fix-Q-E-before-qualifier-bug-when-auto-callouts-are-.patch
 # local no-extended option at the start of the expression just after
 # a whitespace, in upstream after 8.38
 Patch8:     pcre-8.38-Fix-x-bug-when-pattern-starts-with-white-space-and-x.patch
+# Fix possible crash in pcre_copy_named_substring() if a named substring has
+# number greater than the space in the ovector, upstream bug #1741,
+# in fixed in upstream after 8.38
+Patch9:     pcre-8.38-Fix-copy-named-substring-bug.patch
 BuildRequires:  readline-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -112,6 +116,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 # Because of rpath patch
 libtoolize --copy --force
 autoreconf -vif
@ -183,6 +188,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcretest.*

 %changelog
+* Mon Dec 07 2015 Petr Pisar <ppisar@redhat.com> - 8.38-5
+- Fix possible crash in pcre_copy_named_substring() if a named substring has
+  number greater than the space in the ovector (upstream bug #1741)
+
 * Fri Dec 04 2015 Petr Pisar <ppisar@redhat.com> - 8.38-4
 - Fix compiling expressions with global extended modifier that is disabled by
  local no-extended option at the start of the expression just after