Apply upstream fixes for a buffer overflow issue

1585 Fix buffer overflow for named references in (?| situations. PR: 202209 Obtained from: PCRE svn (r1585) Approved by: ports-secteam (feld), feld (mentor) Security: ff0acfb4-3efa-11e5-93ad-002590263bf5 MFH: 2015Q3
svn path=/head/; revision=393915
2024-11-24 00:45:52 +00:00 · 2015-08-10 22:13:18 +00:00 · 2015-08-10 22:13:18 +00:00 · d52f3b6656 · 2021-03-31 03:12:20 +00:00
commit d52f3b6656
parent cda8aedb92
2 changed files with 140 additions and 1 deletions
--- a/devel/pcre/Makefile
+++ b/devel/pcre/Makefile
@ -3,7 +3,7 @@

 PORTNAME=	pcre
 PORTVERSION=	8.37
-PORTREVISION=	2
+PORTREVISION=	3
 CATEGORIES=	devel
 MASTER_SITES=	SF/${PORTNAME}/${PORTNAME}/${PORTVERSION} \
 		ftp://ftp.csx.cam.ac.uk/pub/software/programming/${PORTNAME}/ \
--- a/devel/pcre/files/patch-r1585-buffer-overflow
+++ b/devel/pcre/files/patch-r1585-buffer-overflow
@ -0,0 +1,139 @@
+Index: pcre_internal.h
+===================================================================
+--- pcre_internal.h	(revision 1584)
+++ pcre_internal.h	(revision 1585)
+@@ -2454,6 +2454,7 @@
+   BOOL had_pruneorskip;             /* (*PRUNE) or (*SKIP) encountered */
+   BOOL check_lookbehind;            /* Lookbehinds need later checking */
+   BOOL dupnames;                    /* Duplicate names exist */
+  BOOL dupgroups;                   /* Duplicate groups exist: (?| found */ 
+   BOOL iscondassert;                /* Next assert is a condition */
+   int  nltype;                      /* Newline type */
+   int  nllen;                       /* Newline string length */
+Index: pcre_compile.c
+===================================================================
+--- pcre_compile.c	(revision 1584)
+++ pcre_compile.c	(revision 1585)
+@@ -6668,6 +6668,7 @@
+         /* ------------------------------------------------------------ */
+         case CHAR_VERTICAL_LINE:  /* Reset capture count for each branch */
+         reset_bracount = TRUE;
+        cd->dupgroups = TRUE;     /* Record (?| encountered */ 
+         /* Fall through */
+ 
+         /* ------------------------------------------------------------ */
+@@ -7178,7 +7179,8 @@
+         if (lengthptr != NULL)
+           {
+           named_group *ng;
+-
+          recno = 0;
+           
+           if (namelen == 0)
+             {
+             *errorcodeptr = ERR62;
+@@ -7195,32 +7197,6 @@
+             goto FAILED;
+             }
+ 
+-          /* The name table does not exist in the first pass; instead we must
+-          scan the list of names encountered so far in order to get the
+-          number. If the name is not found, set the value to 0 for a forward
+-          reference. */
+-
+-          recno = 0;
+-          ng = cd->named_groups;
+-          for (i = 0; i < cd->names_found; i++, ng++)
+-            {
+-            if (namelen == ng->length &&
+-                STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+-              {
+-              open_capitem *oc;
+-              recno = ng->number;
+-              if (is_recurse) break;
+-              for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+-                {
+-                if (oc->number == recno)
+-                  {
+-                  oc->flag = TRUE;
+-                  break;
+-                  }
+-                }
+-              }
+-            }
+-
+           /* Count named back references. */
+ 
+           if (!is_recurse) cd->namedrefcount++;
+@@ -7242,7 +7218,44 @@
+           issue is fixed "properly" in PCRE2. As PCRE1 is now in maintenance
+           only mode, we finesse the bug by allowing more memory always. */
+ 
+-          /* if (recno == 0) */ *lengthptr += 2 + 2*LINK_SIZE;
+          *lengthptr += 2 + 2*LINK_SIZE;
+          
+          /* It is even worse than that. The current reference may be to an
+          existing named group with a different number (so apparently not
+          recursive) but which later on is also attached to a group with the
+          current number. This can only happen if $(| has been previous 
+          encountered. In that case, we allow yet more memory, just in case. 
+          (Again, this is fixed "properly" in PCRE2. */
+          
+          if (cd->dupgroups) *lengthptr += 2 + 2*LINK_SIZE;
+
+          /* Otherwise, check for recursion here. The name table does not exist
+          in the first pass; instead we must scan the list of names encountered
+          so far in order to get the number. If the name is not found, leave
+          the value of recno as 0 for a forward reference. */
+           
+          else
+            { 
+            ng = cd->named_groups;
+            for (i = 0; i < cd->names_found; i++, ng++)
+              {
+              if (namelen == ng->length &&
+                  STRNCMP_UC_UC(name, ng->name, namelen) == 0)
+                {
+                open_capitem *oc;
+                recno = ng->number;
+                if (is_recurse) break;
+                for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+                  {
+                  if (oc->number == recno)
+                    {
+                    oc->flag = TRUE;
+                    break;
+                    }
+                  }
+                }
+              }
+            }   
+           }
+ 
+         /* In the real compile, search the name table. We check the name
+@@ -7289,8 +7302,6 @@
+           for (i++; i < cd->names_found; i++)
+             {
+             if (STRCMP_UC_UC(slot + IMM2_SIZE, cslot + IMM2_SIZE) != 0) break;
+-
+-
+             count++;
+             cslot += cd->name_entry_size;
+             }
+@@ -9239,6 +9250,7 @@
+ cd->name_entry_size = 0;
+ cd->name_table = NULL;
+ cd->dupnames = FALSE;
+cd->dupgroups = FALSE;
+ cd->namedrefcount = 0;
+ cd->start_code = cworkspace;
+ cd->hwm = cworkspace;
+@@ -9273,7 +9285,7 @@
+ 
+ DPRINTF(("end pre-compile: length=%d workspace=%d\n", length,
+   (int)(cd->hwm - cworkspace)));
+-
+  
+ if (length > MAX_PATTERN_SIZE)
+   {
+   errorcode = ERR20;