|
|
@@ -1,25 +0,0 @@
|
|
|
-Description: CVE-2014-8964, heap buffer overflow
|
|
|
- Heap buffer overflow if an assertion with a zero minimum repeat is used as
|
|
|
- the condition in a conditional group.
|
|
|
-Origin: upstream http://bugs.exim.org/show_bug.cgi?id=1546
|
|
|
-Bug: http://bugs.exim.org/show_bug.cgi?id=1546
|
|
|
-Applied-Upstream: Yes, after 8.36
|
|
|
-
|
|
|
-Signed-off-by: Baruch Siach <baruch@tkos.co.il>
|
|
|
----
|
|
|
-This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
|
|
|
---- a/pcre_exec.c
|
|
|
-+++ b/pcre_exec.c
|
|
|
-@@ -1404,8 +1404,11 @@
|
|
|
- condition = TRUE;
|
|
|
-
|
|
|
- /* Advance ecode past the assertion to the start of the first branch,
|
|
|
-- but adjust it so that the general choosing code below works. */
|
|
|
-+ but adjust it so that the general choosing code below works. If the
|
|
|
-+ assertion has a quantifier that allows zero repeats we must skip over
|
|
|
-+ the BRAZERO. This is a lunatic thing to do, but somebody did! */
|
|
|
-
|
|
|
-+ if (*ecode == OP_BRAZERO) ecode++;
|
|
|
- ecode += GET(ecode, 1);
|
|
|
- while (*ecode == OP_ALT) ecode += GET(ecode, 1);
|
|
|
- ecode += 1 + LINK_SIZE - PRIV(OP_lengths)[condcode];
|
Gustavo Zacarias