From owner-svn-ports-branches@freebsd.org Mon Aug 10 22:23:04 2015 Return-Path: Delivered-To: svn-ports-branches@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F397E99E1E2; Mon, 10 Aug 2015 22:23:03 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id E3E0B809; Mon, 10 Aug 2015 22:23:03 +0000 (UTC) (envelope-from junovitch@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.70]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id t7AMN30u072612; Mon, 10 Aug 2015 22:23:03 GMT (envelope-from junovitch@FreeBSD.org) Received: (from junovitch@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id t7AMN3n4072610; Mon, 10 Aug 2015 22:23:03 GMT (envelope-from junovitch@FreeBSD.org) Message-Id: <201508102223.t7AMN3n4072610@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: junovitch set sender to junovitch@FreeBSD.org using -f From: Jason Unovitch Date: Mon, 10 Aug 2015 22:23:03 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r393917 - in branches/2015Q3/devel/pcre: . files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Aug 2015 22:23:04 -0000 Author: junovitch Date: Mon Aug 10 22:23:02 2015 New Revision: 393917 URL: https://svnweb.freebsd.org/changeset/ports/393917 Log: MFH: r393915 Apply upstream fixes for a buffer overflow issue 1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 Added: branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow - copied unchanged from r393915, head/devel/pcre/files/patch-r1585-buffer-overflow Modified: branches/2015Q3/devel/pcre/Makefile Directory Properties: branches/2015Q3/ (props changed) Modified: branches/2015Q3/devel/pcre/Makefile ============================================================================== --- branches/2015Q3/devel/pcre/Makefile Mon Aug 10 22:19:51 2015 (r393916) +++ branches/2015Q3/devel/pcre/Makefile Mon Aug 10 22:23:02 2015 (r393917) @@ -3,7 +3,7 @@ PORTNAME= pcre PORTVERSION= 8.37 -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= devel MASTER_SITES= SF/${PORTNAME}/${PORTNAME}/${PORTVERSION} \ ftp://ftp.csx.cam.ac.uk/pub/software/programming/${PORTNAME}/ \ Copied: branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow (from r393915, head/devel/pcre/files/patch-r1585-buffer-overflow) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q3/devel/pcre/files/patch-r1585-buffer-overflow Mon Aug 10 22:23:02 2015 (r393917, copy of r393915, head/devel/pcre/files/patch-r1585-buffer-overflow) @@ -0,0 +1,139 @@ +Index: pcre_internal.h +=================================================================== +--- pcre_internal.h (revision 1584) ++++ pcre_internal.h (revision 1585) +@@ -2454,6 +2454,7 @@ + BOOL had_pruneorskip; /* (*PRUNE) or (*SKIP) encountered */ + BOOL check_lookbehind; /* Lookbehinds need later checking */ + BOOL dupnames; /* Duplicate names exist */ ++ BOOL dupgroups; /* Duplicate groups exist: (?| found */ + BOOL iscondassert; /* Next assert is a condition */ + int nltype; /* Newline type */ + int nllen; /* Newline string length */ +Index: pcre_compile.c +=================================================================== +--- pcre_compile.c (revision 1584) ++++ pcre_compile.c (revision 1585) +@@ -6668,6 +6668,7 @@ + /* ------------------------------------------------------------ */ + case CHAR_VERTICAL_LINE: /* Reset capture count for each branch */ + reset_bracount = TRUE; ++ cd->dupgroups = TRUE; /* Record (?| encountered */ + /* Fall through */ + + /* ------------------------------------------------------------ */ +@@ -7178,7 +7179,8 @@ + if (lengthptr != NULL) + { + named_group *ng; +- ++ recno = 0; ++ + if (namelen == 0) + { + *errorcodeptr = ERR62; +@@ -7195,32 +7197,6 @@ + goto FAILED; + } + +- /* The name table does not exist in the first pass; instead we must +- scan the list of names encountered so far in order to get the +- number. If the name is not found, set the value to 0 for a forward +- reference. */ +- +- recno = 0; +- ng = cd->named_groups; +- for (i = 0; i < cd->names_found; i++, ng++) +- { +- if (namelen == ng->length && +- STRNCMP_UC_UC(name, ng->name, namelen) == 0) +- { +- open_capitem *oc; +- recno = ng->number; +- if (is_recurse) break; +- for (oc = cd->open_caps; oc != NULL; oc = oc->next) +- { +- if (oc->number == recno) +- { +- oc->flag = TRUE; +- break; +- } +- } +- } +- } +- + /* Count named back references. */ + + if (!is_recurse) cd->namedrefcount++; +@@ -7242,7 +7218,44 @@ + issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance + only mode, we finesse the bug by allowing more memory always. */ + +- /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE; ++ *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* It is even worse than that. The current reference may be to an ++ existing named group with a different number (so apparently not ++ recursive) but which later on is also attached to a group with the ++ current number. This can only happen if $(| has been previous ++ encountered. In that case, we allow yet more memory, just in case. ++ (Again, this is fixed "properly" in PCRE2. */ ++ ++ if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE; ++ ++ /* Otherwise, check for recursion here. The name table does not exist ++ in the first pass; instead we must scan the list of names encountered ++ so far in order to get the number. If the name is not found, leave ++ the value of recno as 0 for a forward reference. */ ++ ++ else ++ { ++ ng = cd->named_groups; ++ for (i = 0; i < cd->names_found; i++, ng++) ++ { ++ if (namelen == ng->length && ++ STRNCMP_UC_UC(name, ng->name, namelen) == 0) ++ { ++ open_capitem *oc; ++ recno = ng->number; ++ if (is_recurse) break; ++ for (oc = cd->open_caps; oc != NULL; oc = oc->next) ++ { ++ if (oc->number == recno) ++ { ++ oc->flag = TRUE; ++ break; ++ } ++ } ++ } ++ } ++ } + } + + /* In the real compile, search the name table. We check the name +@@ -7289,8 +7302,6 @@ + for (i++; i < cd->names_found; i++) + { + if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break; +- +- + count++; + cslot += cd->name_entry_size; + } +@@ -9239,6 +9250,7 @@ + cd->name_entry_size = 0; + cd->name_table = NULL; + cd->dupnames = FALSE; ++cd->dupgroups = FALSE; + cd->namedrefcount = 0; + cd->start_code = cworkspace; + cd->hwm = cworkspace; +@@ -9273,7 +9285,7 @@ + + DPRINTF(("end pre-compile: length=%d workspace=%d\n", length, + (int)(cd->hwm - cworkspace))); +- ++ + if (length > MAX_PATTERN_SIZE) + { + errorcode = ERR20;