FreeBSD Bugzilla – Attachment 159718 Details for
Bug 202209
devel/pcre: Heap Overflow Vulnerability (CVE TBD)
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
pcre-8.37_3.patch
pcre-8.37_3.patch (text/plain), 5.98 KB, created by
Jason Unovitch
on 2015-08-10 01:15:21 UTC
(
hide
)
Description:
pcre-8.37_3.patch
Filename:
MIME Type:
Creator:
Jason Unovitch
Created:
2015-08-10 01:15:21 UTC
Size:
5.98 KB
patch
obsolete
>Index: Makefile >=================================================================== >--- Makefile (revision 393831) >+++ Makefile (working copy) >@@ -3,7 +3,7 @@ > > PORTNAME= pcre > PORTVERSION= 8.37 >-PORTREVISION= 2 >+PORTREVISION= 3 > CATEGORIES= devel > MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTVERSION} \ > ftp://ftp.csx.cam.ac.uk/pub/software/programming/${PORTNAME}/ \ >Index: files/patch-r1585-buffer-overflow >=================================================================== >--- files/patch-r1585-buffer-overflow (revision 0) >+++ files/patch-r1585-buffer-overflow (working copy) >@@ -0,0 +1,139 @@ >+Index: pcre_internal.h >+=================================================================== >+--- pcre_internal.h (revision 1584) >++++ pcre_internal.h (revision 1585) >+@@ -2454,6 +2454,7 @@ >+ BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ >+ BOOL check_lookbehind; /* Lookbehinds need later checking */ >+ BOOL dupnames; /* Duplicate names exist */ >++ BOOL dupgroups; /* Duplicate groups exist: (?| found */ >+ BOOL iscondassert; /* Next assert is a condition */ >+ int nltype; /* Newline type */ >+ int nllen; /* Newline string length */ >+Index: pcre_compile.c >+=================================================================== >+--- pcre_compile.c (revision 1584) >++++ pcre_compile.c (revision 1585) >+@@ -6668,6 +6668,7 @@ >+ /* ------------------------------------------------------------ */ >+ case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ >+ reset_bracount = TRUE; >++ cd->dupgroups = TRUE; /* Record (?| encountered */ >+ /* Fall through */ >+ >+ /* ------------------------------------------------------------ */ >+@@ -7178,7 +7179,8 @@ >+ if (lengthptr != NULL) >+ { >+ named_group *ng; >+- >++ recno = 0; >++ >+ if (namelen == 0) >+ { >+ *errorcodeptr = ERR62; >+@@ -7195,32 +7197,6 @@ >+ goto FAILED; >+ } >+ >+- /* The name table does not exist in the first pass; instead we must >+- scan the list of names encountered so far in order to get the >+- number. If the name is not found, set the value to 0 for a forward >+- reference. */ >+- >+- recno = 0; >+- ng = cd->named_groups; >+- for (i = 0; i < cd->names_found; i++, ng++) >+- { >+- if (namelen == ng->length && >+- STRNCMP_UC_UC(name, ng->name, namelen) == 0) >+- { >+- open_capitem *oc; >+- recno = ng->number; >+- if (is_recurse) break; >+- for (oc = cd->open_caps; oc != NULL; oc = oc->next) >+- { >+- if (oc->number == recno) >+- { >+- oc->flag = TRUE; >+- break; >+- } >+- } >+- } >+- } >+- >+ /* Count named back references. */ >+ >+ if (!is_recurse) cd->namedrefcount++; >+@@ -7242,7 +7218,44 @@ >+ issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance >+ only mode, we finesse the bug by allowing more memory always. */ >+ >+- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; >++ *lengthptr += 2 + 2*LINK_SIZE; >++ >++ /* It is even worse than that. The current reference may be to an >++ existing named group with a different number (so apparently not >++ recursive) but which later on is also attached to a group with the >++ current number. This can only happen if $(| has been previous >++ encountered. In that case, we allow yet more memory, just in case. >++ (Again, this is fixed "properly" in PCRE2. */ >++ >++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; >++ >++ /* Otherwise, check for recursion here. The name table does not exist >++ in the first pass; instead we must scan the list of names encountered >++ so far in order to get the number. If the name is not found, leave >++ the value of recno as 0 for a forward reference. */ >++ >++ else >++ { >++ ng = cd->named_groups; >++ for (i = 0; i < cd->names_found; i++, ng++) >++ { >++ if (namelen == ng->length && >++ STRNCMP_UC_UC(name, ng->name, namelen) == 0) >++ { >++ open_capitem *oc; >++ recno = ng->number; >++ if (is_recurse) break; >++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) >++ { >++ if (oc->number == recno) >++ { >++ oc->flag = TRUE; >++ break; >++ } >++ } >++ } >++ } >++ } >+ } >+ >+ /* In the real compile, search the name table. We check the name >+@@ -7289,8 +7302,6 @@ >+ for (i++; i < cd->names_found; i++) >+ { >+ if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break; >+- >+- >+ count++; >+ cslot += cd->name_entry_size; >+ } >+@@ -9239,6 +9250,7 @@ >+ cd->name_entry_size = 0; >+ cd->name_table = NULL; >+ cd->dupnames = FALSE; >++cd->dupgroups = FALSE; >+ cd->namedrefcount = 0; >+ cd->start_code = cworkspace; >+ cd->hwm = cworkspace; >+@@ -9273,7 +9285,7 @@ >+ >+ DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, >+ (int)(cd->hwm - cworkspace))); >+- >++ >+ if (length > MAX_PATTERN_SIZE) >+ { >+ errorcode = ERR20; > >Property changes on: files/patch-r1585-buffer-overflow >___________________________________________________________________ >Added: svn:mime-type >## -0,0 +1 ## >+text/plain >\ No newline at end of property >Added: fbsd:nokeywords >## -0,0 +1 ## >+yes >\ No newline at end of property >Added: svn:eol-style >## -0,0 +1 ## >+native >\ No newline at end of property
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 202209
:
159717
| 159718 |
159719
|
159720