nixpkgs/pkgs/development/libraries/pcre/CVE-2016-1283.patch
Micxjo Funkcio 1e2fe7e07d pcre: patch CVE-2016-1283
This fixes CVE-2016-1283, which allows remote attackers to cause
a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via a crafted regular expression.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283
2016-04-09 02:43:41 +03:00

18 lines
747 B
Diff

Index: pcre_compile.c
===================================================================
--- a/pcre_compile.c (revision 1635)
+++ b/pcre_compile.c (revision 1636)
@@ -7311,7 +7311,12 @@
so far in order to get the number. If the name is not found, leave
the value of recno as 0 for a forward reference. */
- else
+ /* This patch (removing "else") fixes a problem when a reference is
+ to multiple identically named nested groups from within the nest.
+ Once again, it is not the "proper" fix, and it results in an
+ over-allocation of memory. */
+
+ /* else */
{
ng = cd->named_groups;
for (i = 0; i < cd->names_found; i++, ng++)