| 1 | https://bugs.exim.org/show_bug.cgi?id=1651 |
| 2 | https://bugs.gentoo.org/553300 |
| 3 | https://bugzilla.redhat.com/1237224 |
| 4 | |
| 5 | From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 |
| 6 | From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
| 7 | Date: Tue, 23 Jun 2015 16:34:53 +0000 |
| 8 | Subject: [PATCH] Fix buffer overflow for forward reference within backward |
| 9 | assertion with excess closing parenthesis. Bugzilla 1651. |
| 10 | MIME-Version: 1.0 |
| 11 | Content-Type: text/plain; charset=UTF-8 |
| 12 | Content-Transfer-Encoding: 8bit |
| 13 | |
| 14 | This is upstream commit ported to 8.37: |
| 15 | |
| 16 | commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 |
| 17 | Author: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> |
| 18 | Date: Tue Jun 23 16:34:53 2015 +0000 |
| 19 | |
| 20 | Fix buffer overflow for forward reference within backward assertion with excess |
| 21 | closing parenthesis. Bugzilla 1651. |
| 22 | |
| 23 | git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 |
| 24 | |
| 25 | It fixes CVE-2015-5073. |
| 26 | |
| 27 | Signed-off-by: Petr Písař <ppisar@redhat.com> |
| 28 | --- |
| 29 | pcre_compile.c | 2 +- |
| 30 | testdata/testinput2 | 2 ++ |
| 31 | testdata/testoutput2 | 3 +++ |
| 32 | 3 files changed, 6 insertions(+), 1 deletion(-) |
| 33 | |
| 34 | diff --git a/pcre_compile.c b/pcre_compile.c |
| 35 | index 6f06912..b66b1f6 100644 |
| 36 | --- a/pcre_compile.c |
| 37 | +++ b/pcre_compile.c |
| 38 | @@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The |
| 39 | exceptional ones forgo this. We scan the pattern to check that they are fixed |
| 40 | length, and set their lengths. */ |
| 41 | |
| 42 | -if (cd->check_lookbehind) |
| 43 | +if (errorcode == 0 && cd->check_lookbehind) |
| 44 | { |
| 45 | pcre_uchar *cc = (pcre_uchar *)codestart; |
| 46 | |
| 47 | diff --git a/testdata/testinput2 b/testdata/testinput2 |
| 48 | index 83bb471..5cc9ce6 100644 |
| 49 | --- a/testdata/testinput2 |
| 50 | +++ b/testdata/testinput2 |
| 51 | @@ -4154,4 +4154,6 @@ backtracking verbs. --/ |
| 52 | |
| 53 | "(?J)(?'d'(?'d'\g{d}))" |
| 54 | |
| 55 | +/(?=di(?<=(?1))|(?=(.))))/ |
| 56 | + |
| 57 | /-- End of testinput2 --/ |
| 58 | diff --git a/testdata/testoutput2 b/testdata/testoutput2 |
| 59 | index 7dff52a..4decb8d 100644 |
| 60 | --- a/testdata/testoutput2 |
| 61 | +++ b/testdata/testoutput2 |
| 62 | @@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 |
| 63 | |
| 64 | "(?J)(?'d'(?'d'\g{d}))" |
| 65 | |
| 66 | +/(?=di(?<=(?1))|(?=(.))))/ |
| 67 | +Failed: unmatched parentheses at offset 23 |
| 68 | + |
| 69 | /-- End of testinput2 --/ |
| 70 | -- |
| 71 | 2.4.3 |
| 72 | |