From 354e1f8e921dcb9cf2f3a5eac93cd826d01a7d8a Mon Sep 17 00:00:00 2001 From: ph10 Date: Tue, 23 Jun 2015 16:34:53 +0000 Subject: [PATCH] Fix buffer overflow for forward reference within backward assertion with excess closing parenthesis. Bugzilla 1651. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is upstream commit ported to 8.37: commit 764692f9aea9eab50fdba6cb537441d8b34c6c37 Author: ph10 Date: Tue Jun 23 16:34:53 2015 +0000 Fix buffer overflow for forward reference within backward assertion with excess closing parenthesis. Bugzilla 1651. git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1571 2f5784b3-3f2a-0410-8824-cb99058d5e15 It fixes CVE-2015-5073. Signed-off-by: Petr Písař --- pcre_compile.c | 2 +- testdata/testinput2 | 2 ++ testdata/testoutput2 | 3 +++ 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/pcre_compile.c b/pcre_compile.c index 6f06912..b66b1f6 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -9392,7 +9392,7 @@ OP_RECURSE that are not fixed length get a diagnosic with a useful offset. The exceptional ones forgo this. We scan the pattern to check that they are fixed length, and set their lengths. */ -if (cd->check_lookbehind) +if (errorcode == 0 && cd->check_lookbehind) { pcre_uchar *cc = (pcre_uchar *)codestart; diff --git a/testdata/testinput2 b/testdata/testinput2 index 83bb471..5cc9ce6 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4154,4 +4154,6 @@ backtracking verbs. --/ "(?J)(?'d'(?'d'\g{d}))" +/(?=di(?<=(?1))|(?=(.))))/ + /-- End of testinput2 --/ diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 7dff52a..4decb8d 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -14425,4 +14425,7 @@ Failed: lookbehind assertion is not fixed length at offset 17 "(?J)(?'d'(?'d'\g{d}))" +/(?=di(?<=(?1))|(?=(.))))/ +Failed: unmatched parentheses at offset 23 + /-- End of testinput2 --/ -- 2.4.3