Bug#819292: jessie-pu: package pcre3/2:8.35-3.3+deb8u4
Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu
Hi stable release managers,
Here is another update proposed for src:pcre3 for -- if possible --
having it included in the upcomping Jessie point release. It has been
reported as #819050, libpcre3 segfaults on certain regex when jit is
used.
(Ideally, see Florian's comment, suricata in Jessie would not xplicitly
enable the PCRE JIT compiler)
The attached debdiff fixes at least the reported case and a previous
one reported to the security team not via the BTS.
I'm attaching both debdiffs once between 2:8.35-3.3+deb8u2 and
2:8.35-3.3+deb8u4, and once between 2:8.35-3.3+deb8u3 and
2:8.35-3.3+deb8u4.
Regards,
Salvatore
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog 2016-01-10 19:49:57.000000000 +0100
+++ pcre3-8.35/debian/changelog 2016-03-26 07:38:16.000000000 +0100
@@ -1,3 +1,28 @@
+pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch.
+ Fixes issue with nested table jumps. (Closes: #819050)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 25 Mar 2016 19:58:10 +0100
+
+pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Refresh CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch.
+ Drop addition of "error text" for error ERR86 in pcre_compile.c. This
+ change belongs to upstream revision 1481 (Give error for \x{} and \o{}).
+ * Add 0001-Give-error-for-x-and-o.patch.
+ Give error for \x{} and \o{}.
+ * Add 0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch.
+ CVE-2016-3191: workspace overflow for (*ACCEPT) with deeply nested
+ parentheses. (Closes: #815921)
+ * Add 0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch.
+ CVE-2016-1283: heap buffer overflow in handling of duplicate named
+ groups. (Closes: #809706)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 25 Mar 2016 07:05:50 +0100
+
pcre3 (2:8.35-3.3+deb8u2) jessie; urgency=medium
* Non-maintainer upload.
diff -Nru pcre3-8.35/debian/patches/0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch pcre3-8.35/debian/patches/0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch
--- pcre3-8.35/debian/patches/0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch 2016-03-26 07:38:16.000000000 +0100
@@ -0,0 +1,120 @@
+Description: Fix workspace overflow for (*ACCEPT) with deeply nested parentheses
+ Addresses CVE-2016-3191
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1631
+Bug: https://bugs.exim.org/show_bug.cgi?id=1791
+Bug-Debian: https://bugs.debian.org/815921
+Forwarded: not-needed
+Author: Philip Hazel <ph10@cam.ac.uk>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-25
+Applied-Upstream: 8.39
+---
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -549,7 +549,8 @@ static const char error_texts[] =
+ "group name must start with a non-digit\0"
+ /* 85 */
+ "parentheses are too deeply nested (stack check)\0"
+- "digits missing in \\x{} or \\o{}\0"
++ "digits missing in \\x{} or \\o{}\0"
++ "regular expression is too complicated\0"
+ ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -4510,7 +4511,8 @@ for (;; ptr++)
+ if (code > cd->start_workspace + cd->workspace_size -
+ WORK_SIZE_SAFETY_MARGIN) /* Check for overrun */
+ {
+- *errorcodeptr = ERR52;
++ *errorcodeptr = (code >= cd->start_workspace + cd->workspace_size)?
++ ERR52 : ERR87;
+ goto FAILED;
+ }
+
+@@ -6473,8 +6475,21 @@ for (;; ptr++)
+ cd->had_accept = TRUE;
+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
+ {
+- *code++ = OP_CLOSE;
+- PUT2INC(code, 0, oc->number);
++ if (lengthptr != NULL)
++ {
++#ifdef COMPILE_PCRE8
++ *lengthptr += 1 + IMM2_SIZE;
++#elif defined COMPILE_PCRE16
++ *lengthptr += 2 + IMM2_SIZE;
++#elif defined COMPILE_PCRE32
++ *lengthptr += 4 + IMM2_SIZE;
++#endif
++ }
++ else
++ {
++ *code++ = OP_CLOSE;
++ PUT2INC(code, 0, oc->number);
++ }
+ }
+ setverb = *code++ =
+ (cd->assert_depth > 0)? OP_ASSERT_ACCEPT : OP_ACCEPT;
+--- a/testdata/testinput11
++++ b/testdata/testinput11
+@@ -136,4 +136,6 @@ is required for these tests. --/
+
+ /((?+1)(\1))/B
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput11-16
++++ b/testdata/testoutput11-16
+@@ -748,4 +748,7 @@ Memory allocation (code space): 14
+ 22 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: regular expression is too complicated at offset 490
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput11-32
++++ b/testdata/testoutput11-32
+@@ -748,4 +748,7 @@ Memory allocation (code space): 28
+ 22 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: missing ) at offset 509
++
+ /-- End of testinput11 --/
+--- a/testdata/testoutput11-8
++++ b/testdata/testoutput11-8
+@@ -748,4 +748,7 @@ Memory allocation (code space): 10
+ 34 End
+ ------------------------------------------------------------------
+
++/([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00]([00](*ACCEPT)/
++Failed: missing ) at offset 509
++
+ /-- End of testinput11 --/
+--- a/pcreposix.c
++++ b/pcreposix.c
+@@ -173,7 +173,8 @@ static const int eint[] = {
+ REG_BADPAT, /* group name must start with a non-digit */
+ /* 85 */
+ REG_BADPAT, /* parentheses too deeply nested (stack check) */
+- REG_BADPAT /* missing digits in \x{} or \o{} */
++ REG_BADPAT, /* missing digits in \x{} or \o{} */
++ REG_BADPAT /* pattern too complicated */
+ };
+
+ /* Table of texts corresponding to POSIX error codes */
+--- a/pcre_internal.h
++++ b/pcre_internal.h
+@@ -2281,7 +2281,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4,
+ ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+ ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+ ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
++ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERRCOUNT };
+
+ /* JIT compiling modes. The function list is indexed by them. */
+
diff -Nru pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch
--- pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 2016-03-26 07:38:16.000000000 +0100
@@ -0,0 +1,102 @@
+Description: Fixed an issue with nested table jumps
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1475
+Bug-Debian: https://bugs.debian.org/819050
+Forwarded: not-needed
+Author: Zoltan Herczeg <hzmester@freemail.hu>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-25
+Applied-Upstream: 8.36
+---
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -200,7 +200,7 @@ typedef struct stub_list {
+
+ typedef struct label_addr_list {
+ struct sljit_label *label;
+- sljit_uw *addr;
++ sljit_uw *update_addr;
+ struct label_addr_list *next;
+ } label_addr_list;
+
+@@ -2070,7 +2070,7 @@ while (list_item)
+ common->stubs = NULL;
+ }
+
+-static void add_label_addr(compiler_common *common)
++static void add_label_addr(compiler_common *common, sljit_uw *update_addr)
+ {
+ DEFINE_COMPILER;
+ label_addr_list *label_addr;
+@@ -2079,10 +2079,9 @@ label_addr = sljit_alloc_memory(compiler
+ if (label_addr == NULL)
+ return;
+ label_addr->label = LABEL();
+-label_addr->addr = common->read_only_data_ptr;
++label_addr->update_addr = update_addr;
+ label_addr->next = common->label_addrs;
+ common->label_addrs = label_addr;
+-common->read_only_data_ptr++;
+ }
+
+ static SLJIT_INLINE void count_match(compiler_common *common)
+@@ -8819,6 +8818,7 @@ pcre_uchar *ccprev;
+ pcre_uchar bra = OP_BRA;
+ pcre_uchar ket;
+ assert_backtrack *assert;
++sljit_uw *next_update_addr;
+ BOOL has_alternatives;
+ BOOL needs_control_head = FALSE;
+ struct sljit_jump *brazero = NULL;
+@@ -8988,8 +8988,10 @@ else if (has_alternatives)
+ if (alt_max > 4)
+ {
+ /* Table jump if alt_max is greater than 4. */
+- sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)common->read_only_data_ptr);
+- add_label_addr(common);
++ next_update_addr = common->read_only_data_ptr;
++ common->read_only_data_ptr += alt_max;
++ sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)next_update_addr);
++ add_label_addr(common, next_update_addr++);
+ }
+ else
+ {
+@@ -9121,7 +9123,7 @@ if (has_alternatives)
+ if (opcode != OP_ONCE)
+ {
+ if (alt_max > 4)
+- add_label_addr(common);
++ add_label_addr(common, next_update_addr++);
+ else
+ {
+ if (alt_count != 2 * sizeof(sljit_uw))
+@@ -10316,7 +10318,7 @@ executable_size = sljit_get_generated_co
+ label_addr = common->label_addrs;
+ while (label_addr != NULL)
+ {
+- *label_addr->addr = sljit_get_label_addr(label_addr->label);
++ *label_addr->update_addr = sljit_get_label_addr(label_addr->label);
+ label_addr = label_addr->next;
+ }
+ sljit_free_compiler(compiler);
+--- a/testdata/testinput1
++++ b/testdata/testinput1
+@@ -5675,4 +5675,7 @@ AbcdCBefgBhiBqz
+ "(?|(\k'Pm')|(?'Pm'))"
+ abcd
+
++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/
++ acb
++
+ /-- End of testinput1 --/
+--- a/testdata/testoutput1
++++ b/testdata/testoutput1
+@@ -9328,4 +9328,8 @@ No match
+ 0:
+ 1:
+
++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/
++ acb
++No match
++
+ /-- End of testinput1 --/
diff -Nru pcre3-8.35/debian/patches/0001-Give-error-for-x-and-o.patch pcre3-8.35/debian/patches/0001-Give-error-for-x-and-o.patch
--- pcre3-8.35/debian/patches/0001-Give-error-for-x-and-o.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Give-error-for-x-and-o.patch 2016-03-26 07:38:16.000000000 +0100
@@ -0,0 +1,105 @@
+Description: Give error for \x{} and \o{}.
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1481
+Forwarded: not-needed
+Author: Philip Hazel <ph10@cam.ac.uk>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-25
+Applied-Upstream: 8.36
+---
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -549,6 +549,7 @@ static const char error_texts[] =
+ "group name must start with a non-digit\0"
+ /* 85 */
+ "parentheses are too deeply nested (stack check)\0"
++ "digits missing in \\x{} or \\o{}\0"
+ ;
+
+ /* Table to identify digits and hex digits. This is used when compiling
+@@ -1259,6 +1260,7 @@ else
+
+ case CHAR_o:
+ if (ptr[1] != CHAR_LEFT_CURLY_BRACKET) *errorcodeptr = ERR81; else
++ if (ptr[2] == CHAR_RIGHT_CURLY_BRACKET) *errorcodeptr = ERR86; else
+ {
+ ptr += 2;
+ c = 0;
+@@ -1328,6 +1330,11 @@ else
+ if (ptr[1] == CHAR_LEFT_CURLY_BRACKET)
+ {
+ ptr += 2;
++ if (*ptr == CHAR_RIGHT_CURLY_BRACKET)
++ {
++ *errorcodeptr = ERR86;
++ break;
++ }
+ c = 0;
+ overflow = FALSE;
+ while (MAX_255(*ptr) && (digitab[*ptr] & ctype_xdigit) != 0)
+--- a/pcre_internal.h
++++ b/pcre_internal.h
+@@ -2281,7 +2281,7 @@ enum { ERR0, ERR1, ERR2, ERR3, ERR4,
+ ERR50, ERR51, ERR52, ERR53, ERR54, ERR55, ERR56, ERR57, ERR58, ERR59,
+ ERR60, ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69,
+ ERR70, ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79,
+- ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERRCOUNT };
++ ERR80, ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERRCOUNT };
+
+ /* JIT compiling modes. The function list is indexed by them. */
+
+--- a/pcreposix.c
++++ b/pcreposix.c
+@@ -172,7 +172,8 @@ static const int eint[] = {
+ REG_BADPAT, /* invalid range in character class */
+ REG_BADPAT, /* group name must start with a non-digit */
+ /* 85 */
+- REG_BADPAT /* parentheses too deeply nested (stack check) */
++ REG_BADPAT, /* parentheses too deeply nested (stack check) */
++ REG_BADPAT /* missing digits in \x{} or \o{} */
+ };
+
+ /* Table of texts corresponding to POSIX error codes */
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4098,4 +4098,16 @@ backtracking verbs. --/
+
+ /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
+
++/\othing/
++
++/\o{}/
++
++/\o{whatever}/
++
++/\xthing/
++
++/\x{}/
++
++/\x{whatever}/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14226,4 +14226,21 @@ Failed: number is too big at offset 13
+
+ /(?J:(?|(:(?|(?'R')(\z(?|(?'R')(\k'R')|((?'R')))k'R')|((?'R')))H'Ak'Rf)|s(?'R')))/
+
++/\othing/
++Failed: missing opening brace after \o at offset 1
++
++/\o{}/
++Failed: digits missing in \x{} or \o{} at offset 1
++
++/\o{whatever}/
++Failed: non-octal character in \o{} (closing brace missing?) at offset 3
++
++/\xthing/
++
++/\x{}/
++Failed: digits missing in \x{} or \o{} at offset 3
++
++/\x{whatever}/
++Failed: non-hex character in \x{} (closing brace missing?) at offset 3
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch pcre3-8.35/debian/patches/0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch
--- pcre3-8.35/debian/patches/0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch 2016-03-26 07:38:16.000000000 +0100
@@ -0,0 +1,45 @@
+Description: CVE-2016-1283: heap buffer overflow in handling of duplicate named groups
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1636
+Bug: https://bugs.exim.org/show_bug.cgi?id=1767
+Bug-Debian: https://bugs.debian.org/809706
+Forwarded: not-needed
+Author: Philip Hazel <ph10@cam.ac.uk>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-25
+Applied-Upstream: 8.39
+---
+
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -7133,7 +7133,12 @@ for (;; ptr++)
+ so far in order to get the number. If the name is not found, leave
+ the value of recno as 0 for a forward reference. */
+
+- else
++ /* This patch (removing "else") fixes a problem when a reference is
++ to multiple identically named nested groups from within the nest.
++ Once again, it is not the "proper" fix, and it results in an
++ over-allocation of memory. */
++
++ /* else */
+ {
+ ng = cd->named_groups;
+ for (i = 0; i < cd->names_found; i++, ng++)
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -4110,4 +4110,6 @@ backtracking verbs. --/
+
+ /\x{whatever}/
+
++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
++
+ /-- End of testinput2 --/
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -14243,4 +14243,6 @@ Failed: digits missing in \x{} or \o{} a
+ /\x{whatever}/
+ Failed: non-hex character in \x{} (closing brace missing?) at offset 3
+
++/((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/
++
+ /-- End of testinput2 --/
diff -Nru pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch
--- pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch 2016-01-10 19:49:57.000000000 +0100
+++ pcre3-8.35/debian/patches/CVE-2015-2325_CVE-2015-2326_CVE-2015-3210_CVE-2015-5073.patch 2016-03-26 07:38:16.000000000 +0100
@@ -3,17 +3,9 @@
https://security-tracker.debian.org/tracker/CVE-2015-2326
https://security-tracker.debian.org/tracker/CVE-2015-2325
---- pcre3-8.35.orig/pcre_compile.c
-+++ pcre3-8.35/pcre_compile.c
-@@ -549,6 +549,7 @@ static const char error_texts[] =
- "group name must start with a non-digit\0"
- /* 85 */
- "parentheses are too deeply nested (stack check)\0"
-+ "digits missing in \\x{} or \\o{}\0"
- ;
-
- /* Table to identify digits and hex digits. This is used when compiling
-@@ -3936,14 +3937,14 @@ Arguments:
+--- a/pcre_compile.c
++++ b/pcre_compile.c
+@@ -3936,14 +3936,14 @@ Arguments:
adjust the amount by which the group is to be moved
utf TRUE in UTF-8 / UTF-16 / UTF-32 mode
cd contains pointers to tables etc.
@@ -30,7 +22,7 @@
{
pcre_uchar *ptr = group;
-@@ -3955,7 +3956,8 @@ while ((ptr = (pcre_uchar *)find_recurse
+@@ -3955,7 +3955,8 @@ while ((ptr = (pcre_uchar *)find_recurse
/* See if this recursion is on the forward reference list. If so, adjust the
reference. */
@@ -40,7 +32,7 @@
{
offset = (int)GET(hc, 0);
if (cd->start_code + offset == ptr + 1)
-@@ -4400,7 +4402,7 @@ const pcre_uchar *tempptr;
+@@ -4400,7 +4401,7 @@ const pcre_uchar *tempptr;
const pcre_uchar *nestptr = NULL;
pcre_uchar *previous = NULL;
pcre_uchar *previous_callout = NULL;
@@ -49,7 +41,7 @@
pcre_uint8 classbits[32];
/* We can fish out the UTF-8 setting once and for all into a BOOL, but we
-@@ -5912,7 +5914,7 @@ for (;; ptr++)
+@@ -5912,7 +5913,7 @@ for (;; ptr++)
if (repeat_max <= 1) /* Covers 0, 1, and unlimited */
{
*code = OP_END;
@@ -58,7 +50,7 @@
memmove(previous + 1, previous, IN_UCHARS(len));
code++;
if (repeat_max == 0)
-@@ -5936,7 +5938,7 @@ for (;; ptr++)
+@@ -5936,7 +5937,7 @@ for (;; ptr++)
{
int offset;
*code = OP_END;
@@ -67,7 +59,7 @@
memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
code += 2 + LINK_SIZE;
*previous++ = OP_BRAZERO + repeat_type;
-@@ -5999,26 +6001,25 @@ for (;; ptr++)
+@@ -5999,26 +6000,25 @@ for (;; ptr++)
for (i = 1; i < repeat_min; i++)
{
pcre_uchar *hc;
@@ -101,7 +93,7 @@
code += len;
}
}
-@@ -6063,7 +6064,7 @@ for (;; ptr++)
+@@ -6063,7 +6063,7 @@ for (;; ptr++)
else for (i = repeat_max - 1; i >= 0; i--)
{
pcre_uchar *hc;
@@ -110,7 +102,7 @@
*code++ = OP_BRAZERO + repeat_type;
-@@ -6085,22 +6086,21 @@ for (;; ptr++)
+@@ -6085,22 +6085,21 @@ for (;; ptr++)
copying them. */
while (cd->hwm > cd->start_workspace + cd->workspace_size -
@@ -139,7 +131,7 @@
code += len;
}
-@@ -6196,7 +6196,7 @@ for (;; ptr++)
+@@ -6196,7 +6195,7 @@ for (;; ptr++)
{
int nlen = (int)(code - bracode);
*code = OP_END;
@@ -148,7 +140,7 @@
memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen));
code += 1 + LINK_SIZE;
nlen += 1 + LINK_SIZE;
-@@ -6330,7 +6330,7 @@ for (;; ptr++)
+@@ -6330,7 +6329,7 @@ for (;; ptr++)
else
{
*code = OP_END;
@@ -157,7 +149,7 @@
memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
code += 1 + LINK_SIZE;
len += 1 + LINK_SIZE;
-@@ -6379,7 +6379,7 @@ for (;; ptr++)
+@@ -6379,7 +6378,7 @@ for (;; ptr++)
default:
*code = OP_END;
@@ -166,7 +158,7 @@
memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
code += 1 + LINK_SIZE;
len += 1 + LINK_SIZE;
-@@ -6411,7 +6411,7 @@ for (;; ptr++)
+@@ -6411,7 +6410,7 @@ for (;; ptr++)
newoptions = options;
skipbytes = 0;
bravalue = OP_CBRA;
@@ -175,7 +167,7 @@
reset_bracount = FALSE;
/* First deal with various "verbs" that can be introduced by '*'. */
-@@ -7086,14 +7086,26 @@ for (;; ptr++)
+@@ -7086,14 +7085,26 @@ for (;; ptr++)
number. If the name is not found, set the value to 0 for a forward
reference. */
@@ -204,7 +196,7 @@
/* Count named back references. */
-@@ -7704,7 +7716,7 @@ for (;; ptr++)
+@@ -7704,7 +7715,7 @@ for (;; ptr++)
const pcre_uchar *p;
pcre_uint32 cf;
@@ -213,7 +205,7 @@
terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
-@@ -8031,6 +8043,7 @@ int length;
+@@ -8031,6 +8042,7 @@ int length;
unsigned int orig_bracount;
unsigned int max_bracount;
branch_chain bc;
@@ -221,7 +213,7 @@
/* If set, call the external function that checks for stack availability. */
-@@ -8048,6 +8061,8 @@ bc.current_branch = code;
+@@ -8048,6 +8060,8 @@ bc.current_branch = code;
firstchar = reqchar = 0;
firstcharflags = reqcharflags = REQ_UNSET;
@@ -230,7 +222,7 @@
/* Accumulate the length for use in the pre-compile phase. Start with the
length of the BRA and KET and any extra bytes that are required at the
beginning. We accumulate in a local variable to save frequent testing of
-@@ -8241,12 +8256,16 @@ for (;;)
+@@ -8241,12 +8255,16 @@ for (;;)
/* If it was a capturing subpattern, check to see if it contained any
recursive back references. If so, we must wrap it in atomic brackets.
@@ -248,7 +240,7 @@
memmove(start_bracket + 1 + LINK_SIZE, start_bracket,
IN_UCHARS(code - start_bracket));
*start_bracket = OP_ONCE;
-@@ -9265,7 +9284,7 @@ OP_RECURSE that are not fixed length get
+@@ -9265,7 +9283,7 @@ OP_RECURSE that are not fixed length get
exceptional ones forgo this. We scan the pattern to check that they are fixed
length, and set their lengths. */
@@ -257,8 +249,8 @@
{
pcre_uchar *cc = (pcre_uchar *)codestart;
---- pcre3-8.35.orig/testdata/testinput11
-+++ pcre3-8.35/testdata/testinput11
+--- a/testdata/testinput11
++++ b/testdata/testinput11
@@ -132,4 +132,8 @@ is required for these tests. --/
/abc(d|e)(*THEN)x(123(*THEN)4|567(b|q)(*THEN)xx)/B
@@ -268,8 +260,8 @@
+/((?+1)(\1))/B
+
/-- End of testinput11 --/
---- pcre3-8.35.orig/testdata/testinput2
-+++ pcre3-8.35/testdata/testinput2
+--- a/testdata/testinput2
++++ b/testdata/testinput2
@@ -4035,6 +4035,8 @@ backtracking verbs. --/
/(?(R&6yh)abc)/
@@ -292,8 +284,8 @@
+/(?=di(?<=(?1))|(?=(.))))/
+
/-- End of testinput2 --/
---- pcre3-8.35.orig/testdata/testoutput11-16
-+++ pcre3-8.35/testdata/testoutput11-16
+--- a/testdata/testoutput11-16
++++ b/testdata/testoutput11-16
@@ -709,4 +709,43 @@ Memory allocation (code space): 14
62 End
------------------------------------------------------------------
@@ -338,8 +330,8 @@
+------------------------------------------------------------------
+
/-- End of testinput11 --/
---- pcre3-8.35.orig/testdata/testoutput11-32
-+++ pcre3-8.35/testdata/testoutput11-32
+--- a/testdata/testoutput11-32
++++ b/testdata/testoutput11-32
@@ -709,4 +709,43 @@ Memory allocation (code space): 28
62 End
------------------------------------------------------------------
@@ -384,8 +376,8 @@
+------------------------------------------------------------------
+
/-- End of testinput11 --/
---- pcre3-8.35.orig/testdata/testoutput11-8
-+++ pcre3-8.35/testdata/testoutput11-8
+--- a/testdata/testoutput11-8
++++ b/testdata/testoutput11-8
@@ -709,4 +709,43 @@ Memory allocation (code space): 10
76 End
------------------------------------------------------------------
@@ -430,8 +422,8 @@
+------------------------------------------------------------------
+
/-- End of testinput11 --/
---- pcre3-8.35.orig/testdata/testoutput2
-+++ pcre3-8.35/testdata/testoutput2
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
@@ -14093,6 +14093,30 @@ Failed: malformed number or name after (
/(?(R&6yh)abc)/
Failed: group name must start with a non-digit at offset 5
diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series
--- pcre3-8.35/debian/patches/series 2016-01-10 19:49:57.000000000 +0100
+++ pcre3-8.35/debian/patches/series 2016-03-26 07:38:16.000000000 +0100
@@ -21,3 +21,7 @@
0001-Make-pcregrep-q-override-l-and-c-for-compatibility-w.patch
0001-Add-missing-integer-overflow-checks.patch
0001-Hack-in-yet-other-patch-for-a-bug-in-size-computatio.patch
+0001-Give-error-for-x-and-o.patch
+0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch
+0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch
+0001-Fixed-an-issue-with-nested-table-jumps.patch
diff -Nru pcre3-8.35/debian/changelog pcre3-8.35/debian/changelog
--- pcre3-8.35/debian/changelog 2016-03-25 17:34:14.000000000 +0100
+++ pcre3-8.35/debian/changelog 2016-03-26 07:38:16.000000000 +0100
@@ -1,3 +1,11 @@
+pcre3 (2:8.35-3.3+deb8u4) jessie; urgency=medium
+
+ * Non-maintainer upload.
+ * Add 0001-Fixed-an-issue-with-nested-table-jumps.patch.
+ Fixes issue with nested table jumps. (Closes: #819050)
+
+ -- Salvatore Bonaccorso <carnil@debian.org> Fri, 25 Mar 2016 19:58:10 +0100
+
pcre3 (2:8.35-3.3+deb8u3) jessie; urgency=medium
* Non-maintainer upload.
diff -Nru pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch
--- pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 1970-01-01 01:00:00.000000000 +0100
+++ pcre3-8.35/debian/patches/0001-Fixed-an-issue-with-nested-table-jumps.patch 2016-03-26 07:38:16.000000000 +0100
@@ -0,0 +1,102 @@
+Description: Fixed an issue with nested table jumps
+Origin: upstream, http://vcs.pcre.org/pcre?view=revision&revision=1475
+Bug-Debian: https://bugs.debian.org/819050
+Forwarded: not-needed
+Author: Zoltan Herczeg <hzmester@freemail.hu>
+Reviewed-by: Salvatore Bonaccorso <carnil@debian.org>
+Last-Update: 2016-03-25
+Applied-Upstream: 8.36
+---
+
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -200,7 +200,7 @@ typedef struct stub_list {
+
+ typedef struct label_addr_list {
+ struct sljit_label *label;
+- sljit_uw *addr;
++ sljit_uw *update_addr;
+ struct label_addr_list *next;
+ } label_addr_list;
+
+@@ -2070,7 +2070,7 @@ while (list_item)
+ common->stubs = NULL;
+ }
+
+-static void add_label_addr(compiler_common *common)
++static void add_label_addr(compiler_common *common, sljit_uw *update_addr)
+ {
+ DEFINE_COMPILER;
+ label_addr_list *label_addr;
+@@ -2079,10 +2079,9 @@ label_addr = sljit_alloc_memory(compiler
+ if (label_addr == NULL)
+ return;
+ label_addr->label = LABEL();
+-label_addr->addr = common->read_only_data_ptr;
++label_addr->update_addr = update_addr;
+ label_addr->next = common->label_addrs;
+ common->label_addrs = label_addr;
+-common->read_only_data_ptr++;
+ }
+
+ static SLJIT_INLINE void count_match(compiler_common *common)
+@@ -8819,6 +8818,7 @@ pcre_uchar *ccprev;
+ pcre_uchar bra = OP_BRA;
+ pcre_uchar ket;
+ assert_backtrack *assert;
++sljit_uw *next_update_addr;
+ BOOL has_alternatives;
+ BOOL needs_control_head = FALSE;
+ struct sljit_jump *brazero = NULL;
+@@ -8988,8 +8988,10 @@ else if (has_alternatives)
+ if (alt_max > 4)
+ {
+ /* Table jump if alt_max is greater than 4. */
+- sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)common->read_only_data_ptr);
+- add_label_addr(common);
++ next_update_addr = common->read_only_data_ptr;
++ common->read_only_data_ptr += alt_max;
++ sljit_emit_ijump(compiler, SLJIT_JUMP, SLJIT_MEM1(TMP1), (sljit_sw)next_update_addr);
++ add_label_addr(common, next_update_addr++);
+ }
+ else
+ {
+@@ -9121,7 +9123,7 @@ if (has_alternatives)
+ if (opcode != OP_ONCE)
+ {
+ if (alt_max > 4)
+- add_label_addr(common);
++ add_label_addr(common, next_update_addr++);
+ else
+ {
+ if (alt_count != 2 * sizeof(sljit_uw))
+@@ -10316,7 +10318,7 @@ executable_size = sljit_get_generated_co
+ label_addr = common->label_addrs;
+ while (label_addr != NULL)
+ {
+- *label_addr->addr = sljit_get_label_addr(label_addr->label);
++ *label_addr->update_addr = sljit_get_label_addr(label_addr->label);
+ label_addr = label_addr->next;
+ }
+ sljit_free_compiler(compiler);
+--- a/testdata/testinput1
++++ b/testdata/testinput1
+@@ -5675,4 +5675,7 @@ AbcdCBefgBhiBqz
+ "(?|(\k'Pm')|(?'Pm'))"
+ abcd
+
++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/
++ acb
++
+ /-- End of testinput1 --/
+--- a/testdata/testoutput1
++++ b/testdata/testoutput1
+@@ -9328,4 +9328,8 @@ No match
+ 0:
+ 1:
+
++/(?:x|(?:(xx|yy)+|x|x|x|x|x)|a|a|a)bc/
++ acb
++No match
++
+ /-- End of testinput1 --/
diff -Nru pcre3-8.35/debian/patches/series pcre3-8.35/debian/patches/series
--- pcre3-8.35/debian/patches/series 2016-03-25 17:34:14.000000000 +0100
+++ pcre3-8.35/debian/patches/series 2016-03-26 07:38:16.000000000 +0100
@@ -24,3 +24,4 @@
0001-Give-error-for-x-and-o.patch
0001-Fix-workspace-overflow-for-ACCEPT-with-deeply-nested.patch
0001-Yet-another-duplicate-name-bugfix-by-overestimating-.patch
+0001-Fixed-an-issue-with-nested-table-jumps.patch
Reply to: