diff options
| author | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2008-07-09 20:00:28 +0000 |
|---|---|---|
| committer | ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15> | 2008-07-09 20:00:28 +0000 |
| commit | 29f13735ce70eafca41dbb0786264e84bb20996b (patch) | |
| tree | 4c17ce82ffad037e09dca65196db9c5060741876 | |
| parent | 4e445de088852324fd84d761b4ec89647722d595 (diff) | |
| download | pcre-29f13735ce70eafca41dbb0786264e84bb20996b.tar.gz | |
Fix CVE-2008-2371 (outer level option with alternatives caused crash).
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@360 2f5784b3-3f2a-0410-8824-cb99058d5e15
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | pcre_compile.c | 21 | ||||
| -rw-r--r-- | testdata/testinput1 | 2 | ||||
| -rw-r--r-- | testdata/testoutput1 | 2 |
4 files changed, 21 insertions, 12 deletions
@@ -41,6 +41,14 @@ Version 8.0 02 Jul-08 10. The PCRE_EXP_DEFN macro which precedes exported functions was missing from the convenience functions in the pcre_get.c source file. + +11. An option change at the start of a pattern that had top-level alternatives + could cause overwriting and/or a crash. This command provoked a crash in + some environments: + + printf "/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8\n" | pcretest + + This potential security problem was recorded as CVE-2008-2371. Version 7.7 07-May-08 diff --git a/pcre_compile.c b/pcre_compile.c index 4a6cd67..7142a2d 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -4920,10 +4920,8 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ both phases. If we are not at the pattern start, compile code to change the ims - options if this setting actually changes any of them. We also pass the - new setting back so that it can be put at the start of any following - branches, and when this group ends (if we are in a group), a resetting - item can be compiled. */ + options if this setting actually changes any of them, and reset the + greedy defaults and the case value for firstbyte and reqbyte. */ if (*ptr == ')') { @@ -4931,7 +4929,6 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE)) { cd->external_options = newoptions; - options = newoptions; } else { @@ -4940,17 +4937,17 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ *code++ = OP_OPT; *code++ = newoptions & PCRE_IMS; } - - /* Change options at this level, and pass them back for use - in subsequent branches. Reset the greedy defaults and the case - value for firstbyte and reqbyte. */ - - *optionsptr = options = newoptions; greedy_default = ((newoptions & PCRE_UNGREEDY) != 0); greedy_non_default = greedy_default ^ 1; - req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0; + req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0; } + /* Change options at this level, and pass them back for use + in subsequent branches. When not at the start of the pattern, this + information is also necessary so that a resetting item can be + compiled at the end of a group (if we are in a group). */ + + *optionsptr = options = newoptions; previous = NULL; /* This item can't be repeated */ continue; /* It is complete */ } diff --git a/testdata/testinput1 b/testdata/testinput1 index 91554ff..06beeb7 100644 --- a/testdata/testinput1 +++ b/testdata/testinput1 @@ -4036,4 +4036,6 @@ ] p +/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8 + / End of testinput1 / diff --git a/testdata/testoutput1 b/testdata/testoutput1 index 9b8b268..920f911 100644 --- a/testdata/testoutput1 +++ b/testdata/testoutput1 @@ -6605,4 +6605,6 @@ No match p 0: p +/(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]/8 + / End of testinput1 / |