[Pcre-svn] [1636] code/trunk: Yet another duplicate name bug…

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
 
 
Delete this message
Author: Subversion repository
Date:  
To: pcre-svn
Subject: [Pcre-svn] [1636] code/trunk: Yet another duplicate name bugfix by overestimating the memory needed ( i.e.
Revision: 1636
          http://vcs.pcre.org/viewvc?view=rev&revision=1636
Author:   ph10
Date:     2016-02-27 17:38:11 +0000 (Sat, 27 Feb 2016)
Log Message:
-----------
Yet another duplicate name bugfix by overestimating the memory needed (i.e. 
another hack - PCRE2 has this "properly" fixed).


Modified Paths:
--------------
    code/trunk/ChangeLog
    code/trunk/pcre_compile.c
    code/trunk/testdata/testinput2
    code/trunk/testdata/testoutput2


Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog    2016-02-24 10:05:35 UTC (rev 1635)
+++ code/trunk/ChangeLog    2016-02-27 17:38:11 UTC (rev 1636)
@@ -53,6 +53,13 @@
 13. A pattern that included (*ACCEPT) in the middle of a sufficiently deeply
     nested set of parentheses of sufficient size caused an overflow of the
     compiling workspace (which was diagnosed, but of course is not desirable).
+    
+14. And yet another buffer overflow bug involving duplicate named groups, this 
+    time nested, with a nested back reference. Yet again, I have just allowed 
+    for more memory, because anything more needs all the refactoring that has 
+    been done for PCRE2. An example pattern that provoked this bug is:
+    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was 
+    registered as CVE-2016-1283.



Version 8.38 23-November-2015 

Modified: code/trunk/pcre_compile.c
===================================================================
--- code/trunk/pcre_compile.c    2016-02-24 10:05:35 UTC (rev 1635)
+++ code/trunk/pcre_compile.c    2016-02-27 17:38:11 UTC (rev 1636)
@@ -7311,7 +7311,12 @@
           so far in order to get the number. If the name is not found, leave
           the value of recno as 0 for a forward reference. */


-          else
+          /* This patch (removing "else") fixes a problem when a reference is
+          to multiple identically named nested groups from within the nest.
+          Once again, it is not the "proper" fix, and it results in an
+          over-allocation of memory. */
+
+          /* else */
             {
             ng = cd->named_groups;
             for (i = 0; i < cd->names_found; i++, ng++)


Modified: code/trunk/testdata/testinput2
===================================================================
--- code/trunk/testdata/testinput2    2016-02-24 10:05:35 UTC (rev 1635)
+++ code/trunk/testdata/testinput2    2016-02-27 17:38:11 UTC (rev 1636)
@@ -4239,4 +4239,6 @@
     9010
     abcd


+/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
+
/-- End of testinput2 --/ 

Modified: code/trunk/testdata/testoutput2
===================================================================
--- code/trunk/testdata/testoutput2    2016-02-24 10:05:35 UTC (rev 1635)
+++ code/trunk/testdata/testoutput2    2016-02-27 17:38:11 UTC (rev 1636)
@@ -14665,4 +14665,6 @@
   0     ^    0
 No match


+/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
+
/-- End of testinput2 --/
This message was posted to the following mailing lists:
Pcre-svn
Mailing List Info | Nearby Messages		<-[Pcre-svn] [498] code/trunk: Fix pcre2test bug when snprintf() in regerror() does not insert a binary zero.[Pcre-svn] [1637] code/trunk: Fix pcretest loop for global matching with an ovector size less than 2.->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)