aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/pcre2-CVE-2016-3191.patch
blob: 80f9d3d4f14ef2563d86ce0f0125f31a5500ad78 (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
Fixes CVE-2016-3191 (remote execution of arbitrary code or denial of
service (stack-based buffer overflow) via a crafted regular expression).

See <https://bugzilla.redhat.com/show_bug.cgi?id=1311503>.

This is svn r489 at <svn://vcs.exim.org/pcre2/code>, omitting the
changes to 'testdata/testoutput8-16-4', which does not exist in the
source tarball.

git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@489 6239d852-aaf2-0410-a92c-79f79f948069
---
 ChangeLog                 |  4 ++++
 src/pcre2_compile.c       | 16 ++++++++++++++--
 testdata/testinput8       |  2 ++
 testdata/testoutput8-16-2 |  3 +++
 testdata/testoutput8-16-3 |  3 +++
 testdata/testoutput8-16-4 |  3 +++
 testdata/testoutput8-32-2 |  3 +++
 testdata/testoutput8-32-3 |  3 +++
 testdata/testoutput8-32-4 |  3 +++
 testdata/testoutput8-8-2  |  3 +++
 testdata/testoutput8-8-3  |  3 +++
 testdata/testoutput8-8-4  |  3 +++
 12 files changed, 47 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 3ce0207..65e333e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -58,6 +58,10 @@ some head-scratching the next time this happens.
 assertion, caused pcre2test to output a very large number of spaces when the 
 callout was taken, making the program appearing to loop.
 
+12. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply 
+nested set of parentheses of sufficient size caused an overflow of the 
+compiling workspace (which was diagnosed, but of course is not desirable).
+
 
 Version 10.21 12-January-2016
 -----------------------------
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
index e33d620..887fbfd 100644
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@@ -5901,10 +5901,22 @@ for (;; ptr++)
               goto FAILED;
               }
             cb->had_accept = TRUE;
+            
+            /* In the first pass, just accumulate the length required;
+            otherwise hitting (*ACCEPT) inside many nested parentheses can
+            cause workspace overflow. */
+              
             for (oc = cb->open_caps; oc != NULL; oc = oc->next)
               {
-              *code++ = OP_CLOSE;
-              PUT2INC(code, 0, oc->number);
+              if (lengthptr != NULL)
+                {
+                *lengthptr += CU2BYTES(1) + IMM2_SIZE; 
+                }
+              else
+                {       
+                *code++ = OP_CLOSE;
+                PUT2INC(code, 0, oc->number);
+                } 
               }
             setverb = *code++ =
               (cb->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
diff --git a/testdata/testinput8 b/testdata/testinput8
index ca3b1b9..7e2a1f0 100644
--- a/testdata/testinput8
+++ b/testdata/testinput8
@@ -182,4 +182,6 @@
 
 /((?1)(?2)(?3)(?4)(?5)(?6)(?7)(?8)(?9)(?9)(?8)(?7)(?6)(?5)(?4)(?3)(?2)(?1)(?0)){2,}()()()()()()()()()/debug
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+
 # End of testinput8
diff --git a/testdata/testoutput8-16-2 b/testdata/testoutput8-16-2
index 05669bb..a5e8dec 100644
--- a/testdata/testoutput8-16-2
+++ b/testdata/testoutput8-16-2
@@ -1027,4 +1027,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 186 at offset 490: regular expression is too complicated
+
 # End of testinput8
diff --git a/testdata/testoutput8-16-3 b/testdata/testoutput8-16-3
index 31884e1..36133b3 100644
--- a/testdata/testoutput8-16-3
+++ b/testdata/testoutput8-16-3
@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-32-2 b/testdata/testoutput8-32-2
index babd0c7..99c4fad 100644
--- a/testdata/testoutput8-32-2
+++ b/testdata/testoutput8-32-2
@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-32-3 b/testdata/testoutput8-32-3
index babd0c7..99c4fad 100644
--- a/testdata/testoutput8-32-3
+++ b/testdata/testoutput8-32-3
@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-32-4 b/testdata/testoutput8-32-4
index babd0c7..99c4fad 100644
--- a/testdata/testoutput8-32-4
+++ b/testdata/testoutput8-32-4
@@ -1023,4 +1023,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-8-2 b/testdata/testoutput8-8-2
index 6a9aa0a..6dc1f42 100644
--- a/testdata/testoutput8-8-2
+++ b/testdata/testoutput8-8-2
@@ -1026,4 +1026,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-8-3 b/testdata/testoutput8-8-3
index 2fe1168..ae14946 100644
--- a/testdata/testoutput8-8-3
+++ b/testdata/testoutput8-8-3
@@ -1024,4 +1024,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
diff --git a/testdata/testoutput8-8-4 b/testdata/testoutput8-8-4
index 91993b2..6c79956 100644
--- a/testdata/testoutput8-8-4
+++ b/testdata/testoutput8-8-4
@@ -1022,4 +1022,7 @@ Capturing subpattern count = 10
 May match empty string
 Subject length lower bound = 0
 
+/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
+Failed: error 114 at offset 509: missing closing parenthesis
+
 # End of testinput8
-- 
2.8.3