Revision: 360
http://vcs.pcre.org/viewvc?view=rev&revision=360
Author: ph10
Date: 2008-07-09 21:00:28 +0100 (Wed, 09 Jul 2008)
Log Message:
-----------
Fix CVE-2008-2371 (outer level option with alternatives caused crash).
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/pcre_compile.c
code/trunk/testdata/testinput1
code/trunk/testdata/testoutput1
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2008-07-09 16:20:19 UTC (rev 359)
+++ code/trunk/ChangeLog 2008-07-09 20:00:28 UTC (rev 360)
@@ -41,6 +41,14 @@
10. The PCRE_EXP_DEFN macro which precedes exported functions was missing from
the convenience functions in the pcre_get.c source file.
+
+11. An option change at the start of a pattern that had top-level alternatives
+ could cause overwriting and/or a crash. This command provoked a crash in
+ some environments:
+
+ printf "/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8\n" | pcretest
+
+ This potential security problem was recorded as CVE-2008-2371.
Version 7.7 07-May-08
Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c 2008-07-09 16:20:19 UTC (rev 359)
+++ code/trunk/pcre_compile.c 2008-07-09 20:00:28 UTC (rev 360)
@@ -4920,10 +4920,8 @@
both phases.
If we are not at the pattern start, compile code to change the ims
- options if this setting actually changes any of them. We also pass the
- new setting back so that it can be put at the start of any following
- branches, and when this group ends (if we are in a group), a resetting
- item can be compiled. */
+ options if this setting actually changes any of them, and reset the
+ greedy defaults and the case value for firstbyte and reqbyte. */
if (*ptr == ')')
{
@@ -4931,7 +4929,6 @@
(lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
{
cd->external_options = newoptions;
- options = newoptions;
}
else
{
@@ -4940,17 +4937,17 @@
*code++ = OP_OPT;
*code++ = newoptions & PCRE_IMS;
}
-
- /* Change options at this level, and pass them back for use
- in subsequent branches. Reset the greedy defaults and the case
- value for firstbyte and reqbyte. */
-
- *optionsptr = options = newoptions;
greedy_default = ((newoptions & PCRE_UNGREEDY) != 0);
greedy_non_default = greedy_default ^ 1;
- req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
+ req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
}
+ /* Change options at this level, and pass them back for use
+ in subsequent branches. When not at the start of the pattern, this
+ information is also necessary so that a resetting item can be
+ compiled at the end of a group (if we are in a group). */
+
+ *optionsptr = options = newoptions;
previous = NULL; /* This item can't be repeated */
continue; /* It is complete */
}
Modified: code/trunk/testdata/testinput1
===================================================================
--- code/trunk/testdata/testinput1 2008-07-09 16:20:19 UTC (rev 359)
+++ code/trunk/testdata/testinput1 2008-07-09 20:00:28 UTC (rev 360)
@@ -4036,4 +4036,6 @@
]
p
+/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8
+
/ End of testinput1 /
Modified: code/trunk/testdata/testoutput1
===================================================================
--- code/trunk/testdata/testoutput1 2008-07-09 16:20:19 UTC (rev 359)
+++ code/trunk/testdata/testoutput1 2008-07-09 20:00:28 UTC (rev 360)
@@ -6605,4 +6605,6 @@
p
0: p
+/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8
+
/ End of testinput1 /