From 880090304888bfcd1a1b45af7e694b0170e41a96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 29 Oct 2015 16:53:30 +0100 Subject: [PATCH] 8.38-RC1 bump --- .gitignore | 1 + pcre-8.37-Fix-another-buffer-overflow.patch | 110 ---------- ...low-for-forward-reference-within-bac.patch | 68 ------- ...low-for-named-recursive-back-referen.patch | 87 -------- ...low-for-named-references-in-situatio.patch | 190 ------------------ ...compile-bug-for-classes-like-W-p-Any.patch | 91 --------- ...d-reference-to-duplicate-group-numbe.patch | 98 --------- ...r-patch-for-a-bug-in-size-computatio.patch | 79 -------- pcre.spec | 89 ++++---- sources | 2 +- 10 files changed, 39 insertions(+), 776 deletions(-) delete mode 100644 pcre-8.37-Fix-another-buffer-overflow.patch delete mode 100644 pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch delete mode 100644 pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch delete mode 100644 pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch delete mode 100644 pcre-8.37-Fix-compile-bug-for-classes-like-W-p-Any.patch delete mode 100644 pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch delete mode 100644 pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch diff --git a/.gitignore b/.gitignore index abfb4d8..c64f947 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,4 @@ pcre-8.10.tar.bz2 /pcre-8.36.tar.bz2 /pcre-8.37-RC1.tar.bz2 /pcre-8.37.tar.bz2 +/pcre-8.38-RC1.tar.bz2 diff --git a/pcre-8.37-Fix-another-buffer-overflow.patch b/pcre-8.37-Fix-another-buffer-overflow.patch deleted file mode 100644 index 20ead09..0000000 --- a/pcre-8.37-Fix-another-buffer-overflow.patch +++ /dev/null @@ -1,110 +0,0 @@ -From f6efcf125123199d446c5561266c3c3846ed9f30 Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Wed, 3 Jun 2015 16:51:59 +0000 -Subject: [PATCH] Fix another buffer overflow. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ported to 8.37: - -commit 225f0d5eb16c7a26591a1e3f286c7476907b5a6a -Author: ph10 -Date: Wed Jun 3 16:51:59 2015 +0000 - - Fix another buffer overflow. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1562 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 7 ++++++- - testdata/testinput2 | 2 ++ - testdata/testoutput11-16 | 2 +- - testdata/testoutput11-32 | 2 +- - testdata/testoutput11-8 | 2 +- - testdata/testoutput2 | 2 ++ - 6 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 8b4aaef..f5d2384 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7210,7 +7210,12 @@ for (;; ptr++) - real compile this will be picked up and the reference wrapped with - OP_ONCE to make it atomic, so we must space in case this occurs. */ - -- if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; -+ /* In fact, this can happen for a non-forward reference because -+ another group with the same number might be created later. This -+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance -+ only mode, we finesse the bug by allowing more memory always. */ -+ -+ /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; - } - - /* In the real compile, search the name table. We check the name -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 5cc9ce6..e12de3a 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4156,4 +4156,6 @@ backtracking verbs. --/ - - /(?=di(?<=(?1))|(?=(.))))/ - -+"(?J:(?|(?'R')(\k'R')|((?'R'))))" -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 -index 422f2ad..e222e7c 100644 ---- a/testdata/testoutput11-16 -+++ b/testdata/testoutput11-16 -@@ -231,7 +231,7 @@ Memory allocation (code space): 73 - ------------------------------------------------------------------ - - /(?Pa)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 61 -+Memory allocation (code space): 77 - ------------------------------------------------------------------ - 0 24 Bra - 2 5 CBra 1 -diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 -index d953ec8..9a80ec9 100644 ---- a/testdata/testoutput11-32 -+++ b/testdata/testoutput11-32 -@@ -231,7 +231,7 @@ Memory allocation (code space): 155 - ------------------------------------------------------------------ - - /(?Pa)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 125 -+Memory allocation (code space): 157 - ------------------------------------------------------------------ - 0 24 Bra - 2 5 CBra 1 -diff --git a/testdata/testoutput11-8 b/testdata/testoutput11-8 -index 6ec18ec..3adaca2 100644 ---- a/testdata/testoutput11-8 -+++ b/testdata/testoutput11-8 -@@ -231,7 +231,7 @@ Memory allocation (code space): 45 - ------------------------------------------------------------------ - - /(?Pa)...(?P=a)bbb(?P>a)d/BM --Memory allocation (code space): 38 -+Memory allocation (code space): 50 - ------------------------------------------------------------------ - 0 30 Bra - 3 7 CBra 1 -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 4decb8d..5bad26c 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14428,4 +14428,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 - /(?=di(?<=(?1))|(?=(.))))/ - Failed: unmatched parentheses at offset 23 - -+"(?J:(?|(?'R')(\k'R')|((?'R'))))" -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch b/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch deleted file mode 100644 index 16fd45c..0000000 --- a/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Tue, 23 Jun 2015 16:34:53 +0000 -Subject: [PATCH] Fix buffer overflow for forward reference within backward - assertion with excess closing parenthesis. Bugzilla 1651. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -This is upstream commit ported to 8.37: - -commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 -Author: ph10 -Date: Tue Jun 23 16:34:53 2015 +0000 - - Fix buffer overflow for forward reference within backward assertion with excess - closing parenthesis. Bugzilla 1651. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -It fixes CVE-2015-5073. - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 2 +- - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 3 +++ - 3 files changed, 6 insertions(+), 1 deletion(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 6f06912..b66b1f6 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The - exceptional ones forgo this. We scan the pattern to check that they are fixed - length, and set their lengths. */ - --if (cd->check_lookbehind) -+if (errorcode == 0 && cd->check_lookbehind) - { - pcre_uchar *cc = (pcre_uchar *)codestart; - -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 83bb471..5cc9ce6 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4154,4 +4154,6 @@ backtracking verbs. --/ - - "(?J)(?'d'(?'d'\g{d}))" - -+/(?=di(?<=(?1))|(?=(.))))/ -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 7dff52a..4decb8d 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 - - "(?J)(?'d'(?'d'\g{d}))" - -+/(?=di(?<=(?1))|(?=(.))))/ -+Failed: unmatched parentheses at offset 23 -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch b/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch deleted file mode 100644 index c97849f..0000000 --- a/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch +++ /dev/null @@ -1,87 +0,0 @@ -From 68ff1beb43bb3d4d8838f3285c97023d1e50513a Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Fri, 15 May 2015 17:17:03 +0000 -Subject: [PATCH] Fix buffer overflow for named recursive back reference when - the name is duplicated. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream commit ported to pcre-8.37: - -commit 4b79af6b4cbeb5326ae5e4d83f3e935e00286c19 -Author: ph10 -Date: Fri May 15 17:17:03 2015 +0000 - - Fix buffer overflow for named recursive back reference when the name is - duplicated. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1558 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -This fixes CVE-2015-3210. - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 16 ++++++++++++++-- - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 2 ++ - 3 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 0efad26..6f06912 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7173,14 +7173,26 @@ for (;; ptr++) - number. If the name is not found, set the value to 0 for a forward - reference. */ - -+ recno = 0; - ng = cd->named_groups; - for (i = 0; i < cd->names_found; i++, ng++) - { - if (namelen == ng->length && - STRNCMP_UC_UC(name, ng->name, namelen) == 0) -- break; -+ { -+ open_capitem *oc; -+ recno = ng->number; -+ if (is_recurse) break; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; -+ break; -+ } -+ } -+ } - } -- recno = (i < cd->names_found)? ng->number : 0; - - /* Count named back references. */ - -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 58fe53b..83bb471 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4152,4 +4152,6 @@ backtracking verbs. --/ - - /((?2){73}(?2))((?1))/ - -+"(?J)(?'d'(?'d'\g{d}))" -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index b718df0..7dff52a 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14423,4 +14423,6 @@ Failed: lookbehind assertion is not fixed length at offset 17 - - /((?2){73}(?2))((?1))/ - -+"(?J)(?'d'(?'d'\g{d}))" -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch b/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch deleted file mode 100644 index ab1b962..0000000 --- a/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch +++ /dev/null @@ -1,190 +0,0 @@ -From b3f0b0dd971314df8f865e221aa1a88e75d6d1a6 Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Wed, 5 Aug 2015 15:38:32 +0000 -Subject: [PATCH] Fix buffer overflow for named references in (?| situations. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Ported for 8.37: - -commit 7af8e8717def179fd7b69e173abd347c1a3547cb -Author: ph10 -Date: Wed Aug 5 15:38:32 2015 +0000 - - Fix buffer overflow for named references in (?| situations. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1585 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 74 ++++++++++++++++++++++++++++++---------------------- - pcre_internal.h | 1 + - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 2 ++ - 4 files changed, 48 insertions(+), 31 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index f5d2384..5fe5c1d 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -6641,6 +6641,7 @@ for (;; ptr++) - /* ------------------------------------------------------------ */ - case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ - reset_bracount = TRUE; -+ cd->dupgroups = TRUE; /* Record (?| encountered */ - /* Fall through */ - - /* ------------------------------------------------------------ */ -@@ -7151,7 +7152,8 @@ for (;; ptr++) - if (lengthptr != NULL) - { - named_group *ng; -- -+ recno = 0; -+ - if (namelen == 0) - { - *errorcodeptr = ERR62; -@@ -7168,32 +7170,6 @@ for (;; ptr++) - goto FAILED; - } - -- /* The name table does not exist in the first pass; instead we must -- scan the list of names encountered so far in order to get the -- number. If the name is not found, set the value to 0 for a forward -- reference. */ -- -- recno = 0; -- ng = cd->named_groups; -- for (i = 0; i < cd->names_found; i++, ng++) -- { -- if (namelen == ng->length && -- STRNCMP_UC_UC(name, ng->name, namelen) == 0) -- { -- open_capitem *oc; -- recno = ng->number; -- if (is_recurse) break; -- for (oc = cd->open_caps; oc != NULL; oc = oc->next) -- { -- if (oc->number == recno) -- { -- oc->flag = TRUE; -- break; -- } -- } -- } -- } -- - /* Count named back references. */ - - if (!is_recurse) cd->namedrefcount++; -@@ -7215,7 +7191,44 @@ for (;; ptr++) - issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance - only mode, we finesse the bug by allowing more memory always. */ - -- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; -+ *lengthptr += 2 + 2*LINK_SIZE; -+ -+ /* It is even worse than that. The current reference may be to an -+ existing named group with a different number (so apparently not -+ recursive) but which later on is also attached to a group with the -+ current number. This can only happen if $(| has been previous -+ encountered. In that case, we allow yet more memory, just in case. -+ (Again, this is fixed "properly" in PCRE2. */ -+ -+ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; -+ -+ /* Otherwise, check for recursion here. The name table does not exist -+ in the first pass; instead we must scan the list of names encountered -+ so far in order to get the number. If the name is not found, leave -+ the value of recno as 0 for a forward reference. */ -+ -+ else -+ { -+ ng = cd->named_groups; -+ for (i = 0; i < cd->names_found; i++, ng++) -+ { -+ if (namelen == ng->length && -+ STRNCMP_UC_UC(name, ng->name, namelen) == 0) -+ { -+ open_capitem *oc; -+ recno = ng->number; -+ if (is_recurse) break; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; -+ break; -+ } -+ } -+ } -+ } -+ } - } - - /* In the real compile, search the name table. We check the name -@@ -7262,8 +7275,6 @@ for (;; ptr++) - for (i++; i < cd->names_found; i++) - { - if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break; -- -- - count++; - cslot += cd->name_entry_size; - } -@@ -9189,6 +9200,7 @@ cd->names_found = 0; - cd->name_entry_size = 0; - cd->name_table = NULL; - cd->dupnames = FALSE; -+cd->dupgroups = FALSE; - cd->namedrefcount = 0; - cd->start_code = cworkspace; - cd->hwm = cworkspace; -@@ -9223,7 +9235,7 @@ if (errorcode != 0) goto PCRE_EARLY_ERROR_RETURN; - - DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, - (int)(cd->hwm - cworkspace))); -- -+ - if (length > MAX_PATTERN_SIZE) - { - errorcode = ERR20; -diff --git a/pcre_internal.h b/pcre_internal.h -index dd0ac7f..7ca6020 100644 ---- a/pcre_internal.h -+++ b/pcre_internal.h -@@ -2446,6 +2446,7 @@ typedef struct compile_data { - BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ - BOOL check_lookbehind; /* Lookbehinds need later checking */ - BOOL dupnames; /* Duplicate names exist */ -+ BOOL dupgroups; /* Duplicate groups exist: (?| found */ - BOOL iscondassert; /* Next assert is a condition */ - int nltype; /* Newline type */ - int nllen; /* Newline string length */ -diff --git a/testdata/testinput2 b/testdata/testinput2 -index e12de3a..8e044f8 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4158,4 +4158,6 @@ backtracking verbs. --/ - - "(?J:(?|(?'R')(\k'R')|((?'R'))))" - -+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 5bad26c..6019425 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14430,4 +14430,6 @@ Failed: unmatched parentheses at offset 23 - - "(?J:(?|(?'R')(\k'R')|((?'R'))))" - -+/(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/pcre-8.37-Fix-compile-bug-for-classes-like-W-p-Any.patch b/pcre-8.37-Fix-compile-bug-for-classes-like-W-p-Any.patch deleted file mode 100644 index b30e055..0000000 --- a/pcre-8.37-Fix-compile-bug-for-classes-like-W-p-Any.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 7b67e393f64afd69c48e585d3e4291d7d1b3a0f5 Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Fri, 9 Oct 2015 16:11:18 +0000 -Subject: [PATCH] Fix compile bug for classes like [\W\p{Any}]. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1601 2f5784b3-3f2a-0410-8824-cb99058d5e15 -Signed-off-by: Petr Písař - -Petr Pisar: Ported to 8.37. ---- - pcre_compile.c | 5 +++-- - testdata/testinput5 | 9 +++++++++ - testdata/testoutput5 | 26 ++++++++++++++++++++++++++ - 4 files changed, 42 insertions(+), 2 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 191330a..f8ce576 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -5512,9 +5512,10 @@ for (;; ptr++) - actual compiled code. */ - - #ifdef SUPPORT_UTF -- if (xclass && (!should_flip_negation || (options & PCRE_UCP) != 0)) -+ if (xclass && (xclass_has_prop || !should_flip_negation || -+ (options & PCRE_UCP) != 0)) - #elif !defined COMPILE_PCRE8 -- if (xclass && !should_flip_negation) -+ if (xclass && (xclass_has_prop || !should_flip_negation)) - #endif - #if defined SUPPORT_UTF || !defined COMPILE_PCRE8 - { -diff --git a/testdata/testinput5 b/testdata/testinput5 -index 28561a9..c825ca2 100644 ---- a/testdata/testinput5 -+++ b/testdata/testinput5 -@@ -798,4 +798,13 @@ - /(?<=\K\x{17f})/8G+ - \x{17f}\x{17f}\x{17f}\x{17f}\x{17f} - -+/[\W\p{Any}]/BZ -+ abc -+ 123 -+ -+/[\W\pL]/BZ -+ abc -+ ** Failers -+ 123 -+ - /-- End of testinput5 --/ -diff --git a/testdata/testoutput5 b/testdata/testoutput5 -index bab989c..42e5e16 100644 ---- a/testdata/testoutput5 -+++ b/testdata/testoutput5 -@@ -1942,4 +1942,30 @@ Need char = 'z' - 0: \x{17f} - 0+ - -+/[\W\p{Any}]/BZ -+------------------------------------------------------------------ -+ Bra -+ [\x00-/:-@[-^`{-\xff\p{Any}] -+ Ket -+ End -+------------------------------------------------------------------ -+ abc -+ 0: a -+ 123 -+ 0: 1 -+ -+/[\W\pL]/BZ -+------------------------------------------------------------------ -+ Bra -+ [\x00-/:-@[-^`{-\xff\p{L}] -+ Ket -+ End -+------------------------------------------------------------------ -+ abc -+ 0: a -+ ** Failers -+ 0: * -+ 123 -+No match -+ - /-- End of testinput5 --/ --- -2.4.3 - diff --git a/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch b/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch deleted file mode 100644 index 837e86f..0000000 --- a/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 83ed574998fe7b844b98ab7cd56291068feb9e31 Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Sat, 16 May 2015 11:05:40 +0000 -Subject: [PATCH] Fix named forward reference to duplicate group number - overflow bug. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Port to 8.37: - -commit 2fa78aa4e42bcebf2d616c4ee89c012f29dc3447 -Author: ph10 -Date: Sat May 16 11:05:40 2015 +0000 - - Fix named forward reference to duplicate group number overflow bug. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1559 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 24 ++++++++++++++++-------- - testdata/testinput1 | 3 +++ - testdata/testoutput1 | 5 +++++ - 3 files changed, 24 insertions(+), 8 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index b66b1f6..8b4aaef 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7183,15 +7183,15 @@ for (;; ptr++) - open_capitem *oc; - recno = ng->number; - if (is_recurse) break; -- for (oc = cd->open_caps; oc != NULL; oc = oc->next) -- { -- if (oc->number == recno) -- { -- oc->flag = TRUE; -+ for (oc = cd->open_caps; oc != NULL; oc = oc->next) -+ { -+ if (oc->number == recno) -+ { -+ oc->flag = TRUE; - break; -- } -- } -- } -+ } -+ } -+ } - } - - /* Count named back references. */ -@@ -7203,6 +7203,14 @@ for (;; ptr++) - 16-bit data item. */ - - *lengthptr += IMM2_SIZE; -+ -+ /* If this is a forward reference and we are within a (?|...) group, -+ the reference may end up as the number of a group which we are -+ currently inside, that is, it could be a recursive reference. In the -+ real compile this will be picked up and the reference wrapped with -+ OP_ONCE to make it atomic, so we must space in case this occurs. */ -+ -+ if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE; - } - - /* In the real compile, search the name table. We check the name -diff --git a/testdata/testinput1 b/testdata/testinput1 -index 73c2f4d..8379ce0 100644 ---- a/testdata/testinput1 -+++ b/testdata/testinput1 -@@ -5730,4 +5730,7 @@ AbcdCBefgBhiBqz - "(?1)(?#?'){8}(a)" - baaaaaaaaac - -+"(?|(\k'Pm')|(?'Pm'))" -+ abcd -+ - /-- End of testinput1 --/ -diff --git a/testdata/testoutput1 b/testdata/testoutput1 -index 0a53fd0..e852ab9 100644 ---- a/testdata/testoutput1 -+++ b/testdata/testoutput1 -@@ -9429,4 +9429,9 @@ No match - 0: aaaaaaaaa - 1: a - -+"(?|(\k'Pm')|(?'Pm'))" -+ abcd -+ 0: -+ 1: -+ - /-- End of testinput1 --/ --- -2.4.3 - diff --git a/pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch b/pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch deleted file mode 100644 index 6c0e385..0000000 --- a/pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch +++ /dev/null @@ -1,79 +0,0 @@ -From cf3a19441dc85daf8f91d5b84f42021dc1007251 Mon Sep 17 00:00:00 2001 -From: ph10 -Date: Fri, 21 Aug 2015 16:08:33 +0000 -Subject: [PATCH] Hack in yet other patch for a bug in size computation that is - fixed "properly" in PCRE2. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Upstream commit ported to 8.37: - -commit f25903ade90a9177cf1175eb48fb36e500b3cca4 -Author: ph10 -Date: Fri Aug 21 16:08:33 2015 +0000 - - Hack in yet other patch for a bug in size computation that is fixed "properly" - in PCRE2. - - git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1594 2f5784b3-3f2a-0410-8824-cb99058d5e15 - -Signed-off-by: Petr Písař ---- - pcre_compile.c | 5 ++--- - testdata/testinput2 | 2 ++ - testdata/testoutput2 | 2 ++ - 3 files changed, 6 insertions(+), 3 deletions(-) - -diff --git a/pcre_compile.c b/pcre_compile.c -index 5fe5c1d..681d2a1 100644 ---- a/pcre_compile.c -+++ b/pcre_compile.c -@@ -7200,7 +7200,7 @@ for (;; ptr++) - encountered. In that case, we allow yet more memory, just in case. - (Again, this is fixed "properly" in PCRE2. */ - -- if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; -+ if (cd->dupgroups) *lengthptr += 4 + 4*LINK_SIZE; - - /* Otherwise, check for recursion here. The name table does not exist - in the first pass; instead we must scan the list of names encountered -@@ -9403,7 +9403,7 @@ used in this code because at least one compiler gives a warning about loss of - "const" attribute if the cast (pcre_uchar *)codestart is used directly in the - function call. */ - --if ((options & PCRE_NO_AUTO_POSSESS) == 0) -+if (errorcode == 0 && (options & PCRE_NO_AUTO_POSSESS) == 0) - { - pcre_uchar *temp = (pcre_uchar *)codestart; - auto_possessify(temp, utf, cd); -@@ -9630,4 +9630,3 @@ return (pcre32 *)re; - } - - /* End of pcre_compile.c */ -- -diff --git a/testdata/testinput2 b/testdata/testinput2 -index 8e044f8..feca135 100644 ---- a/testdata/testinput2 -+++ b/testdata/testinput2 -@@ -4160,4 +4160,6 @@ backtracking verbs. --/ - - /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ - -+/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ -diff --git a/testdata/testoutput2 b/testdata/testoutput2 -index 6019425..3b06f85 100644 ---- a/testdata/testoutput2 -+++ b/testdata/testoutput2 -@@ -14432,4 +14432,6 @@ Failed: unmatched parentheses at offset 23 - - /(?J:(?|(:(?|(?'R')(\k'R')|((?'R')))H'Rk'Rf)|s(?'R')))/ - -+/(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/ -+ - /-- End of testinput2 --/ --- -2.4.3 - diff --git a/pcre.spec b/pcre.spec index 1810dac..497f1e8 100644 --- a/pcre.spec +++ b/pcre.spec @@ -1,11 +1,11 @@ # Is this a stable/testing release: -#%%global rcversion RC1 -Name: pcre -Version: 8.37 -Release: %{?rcversion:0.}5%{?rcversion:.%rcversion}%{?dist} +%global rcversion RC1 +Name: pcre +Version: 8.38 +Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} -Summary: Perl-compatible regular expression library -Group: System Environment/Libraries +Summary: Perl-compatible regular expression library +Group: System Environment/Libraries ## Source package only: # ltmain.sh: (GPLv2+ or BSD) and GPLv3+ # missing: GPLv2+ or BSD @@ -24,37 +24,25 @@ Group: System Environment/Libraries # testdata: Public Domain (see LICENSE file) ## Binary packages: # other files: BSD -License: BSD -URL: http://www.pcre.org/ -Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/%{name}/%{?rcversion:Testing/}%{name}-%{myversion}.tar.bz2 +License: BSD +URL: http://www.pcre.org/ +Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/%{name}/%{?rcversion:Testing/}%{name}-%{myversion}.tar.bz2 # Upstream thinks RPATH is good idea. -Patch0: pcre-8.21-multilib.patch +Patch0: pcre-8.21-multilib.patch # Refused by upstream, bug #675477 -Patch1: pcre-8.32-refused_spelling_terminated.patch -# Fix CVE-2015-3210, bug #1236659 -Patch2: pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch -# Fix CVE-2015-5073, bug #1237224 -Patch3: pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch -# Needed for Fix-buffer-overflow-for-named-references-in-situatio.patch, -# in upstream after 8.37 -Patch4: pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch -# Needed for Fix-buffer-overflow-for-named-references-in-situatio.patch, -# in upstream after 8.37 -Patch5: pcre-8.37-Fix-another-buffer-overflow.patch -# Fix a buffer overflow with duplicated named groups and an occurrence of "(?|", -# , bug #1250946, -# in upstream after 8.37 -Patch6: pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch -# Fix a heap overflow when compiling certain expression with named references, -# , bug #1256452, -# in upstream after 8.37 -Patch7: pcre-8.37-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch -# Fix compiling classes with a negative escape and a property escape, -# upstream bug #1697, fixed in upstream after 8.37. -Patch8: pcre-8.37-Fix-compile-bug-for-classes-like-W-p-Any.patch -BuildRequires: readline-devel -# New libtool to get rid of rpath -BuildRequires: autoconf, automake, libtool +Patch1: pcre-8.32-refused_spelling_terminated.patch +BuildRequires: readline-devel +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: coreutils +BuildRequires: gcc +BuildRequires: glibc-common +BuildRequires: libtool +# perl not used because config.h.generic is pregenerated +# Tests: +BuildRequires: bash +BuildRequires: diffutils +BuildRequires: grep %description Perl-compatible regular expression library. @@ -65,25 +53,25 @@ themselves still follow Perl syntax and semantics. The header file for the POSIX-style functions is called pcreposix.h. %package devel -Summary: Development files for %{name} -Group: Development/Libraries -Requires: %{name}%{?_isa} = %{version}-%{release} +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} %description devel Development files (Headers, libraries for dynamic linking, etc) for %{name}. %package static -Summary: Static library for %{name} -Group: Development/Libraries -Requires: %{name}-devel%{_isa} = %{version}-%{release} +Summary: Static library for %{name} +Group: Development/Libraries +Requires: %{name}-devel%{_isa} = %{version}-%{release} %description static Library for static linking for %{name}. %package tools -Summary: Auxiliary utilities for %{name} -Group: Development/Tools -Requires: %{name}%{_isa} = %{version}-%{release} +Summary: Auxiliary utilities for %{name} +Group: Development/Tools +Requires: %{name}%{_isa} = %{version}-%{release} %description tools Utilities demonstrating PCRE capabilities like pcregrep or pcretest. @@ -93,15 +81,9 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. # Get rid of rpath %patch0 -p1 -b .multilib %patch1 -p1 -b .terminated_typos -%patch2 -p1 -b .CVE-2015-3210 -%patch3 -p1 -b .CVE-2015-5073 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 # Because of rpath patch -libtoolize --copy --force && autoreconf -vif +libtoolize --copy --force +autoreconf -vif # One contributor's name is non-UTF-8 for F in ChangeLog; do iconv -f latin1 -t utf8 "$F" >"${F}.utf8" @@ -170,6 +152,9 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Thu Oct 29 2015 Petr Pisar - 8.38-0.1.RC1 +- 8.38-RC1 bump + * Mon Oct 12 2015 Petr Pisar - 8.37-5 - Fix compiling classes with a negative escape and a property escape (upstream bug #1697) diff --git a/sources b/sources index 9a8ab79..2e060a4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -ed91be292cb01d21bc7e526816c26981 pcre-8.37.tar.bz2 +553ae88ac9e125564e9fb443a5f17ca3 pcre-8.38-RC1.tar.bz2