| Description: CVE-2014-8964, heap buffer overflow |
| Heap buffer overflow if an assertion with a zero minimum repeat is used as |
| the condition in a conditional group. |
| Origin: upstream http://bugs.exim.org/show_bug.cgi?id=1546 |
| Bug: http://bugs.exim.org/show_bug.cgi?id=1546 |
| Applied-Upstream: Yes, after 8.36 |
| |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ |
| --- a/pcre_exec.c |
| +++ b/pcre_exec.c |
| @@ -1404,8 +1404,11 @@ |
| condition = TRUE; |
| |
| /* Advance ecode past the assertion to the start of the first branch, |
| - but adjust it so that the general choosing code below works. */ |
| + but adjust it so that the general choosing code below works. If the |
| + assertion has a quantifier that allows zero repeats we must skip over |
| + the BRAZERO. This is a lunatic thing to do, but somebody did! */ |
| |
| + if (*ecode == OP_BRAZERO) ecode++; |
| ecode += GET(ecode, 1); |
| while (*ecode == OP_ALT) ecode += GET(ecode, 1); |
| ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode]; |