--- a/components/pcre/patches/04-CVE-2015-3210.patch Thu Dec 17 09:15:10 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,456 +0,0 @@
-Patch from upstream:
-http://vcs.pcre.org/pcre?view=revision&revision=1558
-to fix CVE-2015-3210 in this upstream bug:
-https://bugs.exim.org/show_bug.cgi?id=1636
-
-Must also include the other commits to pcre_compile.c since 8.37;
-otherwise, a test case fails.
-http://vcs.pcre.org/pcre?view=revision&revision=1555
-http://vcs.pcre.org/pcre?view=revision&revision=1556
-http://vcs.pcre.org/pcre?view=revision&revision=1557
-
-This patch may be removed when pcre is upgraded from version 8.37
-
---- pcre-8.37-orig/ChangeLog 2015-04-28 04:37:57.000000000 -0700
-+++ pcre-8.37/ChangeLog 2015-06-18 14:04:00.765607692 -0700
-@@ -1,6 +1,29 @@
- ChangeLog for PCRE
- ------------------
-
-+Changes since Version 8.37
-+------------------------
-+
-+1. If a group that contained a recursive back reference also contained a
-+ forward reference subroutine call followed by a non-forward-reference
-+ subroutine call, for example /.((?2)(?R)\1)()/, pcre2_compile() failed to
-+ compile correct code, leading to undefined behaviour or an internally
-+ detected error. This bug was discovered by the LLVM fuzzer.
-+
-+2. Quantification of certain items (e.g. atomic back references) could cause
-+ incorrect code to be compiled when recursive forward references were
-+ involved. For example, in this pattern: /(?1)()((((((\1++))\x85)+)|))/.
-+ This bug was discovered by the LLVM fuzzer.
-+
-+3. A repeated conditional group whose condition was a reference by name caused
-+ a buffer overflow if there was more than one group with the given name.
-+ This bug was discovered by the LLVM fuzzer.
-+
-+4. A recursive back reference by name within a group that had the same name as
-+ another group caused a buffer overflow. For example:
-+ /(?J)(?'d'(?'d'\g{d}))/. This bug was discovered by the LLVM fuzzer.
-+
-+
- Version 8.37 28-April-2015
- --------------------------
-
---- pcre-8.37-orig/pcre_compile.c 2015-04-13 08:54:01.000000000 -0700
-+++ pcre-8.37/pcre_compile.c 2015-06-18 13:50:47.045221926 -0700
-@@ -3985,11 +3985,12 @@ have their offsets adjusted. That one of
- is called, the partially compiled regex must be temporarily terminated with
- OP_END.
-
--This function has been extended with the possibility of forward references for
--recursions and subroutine calls. It must also check the list of such references
--for the group we are dealing with. If it finds that one of the recursions in
--the current group is on this list, it adjusts the offset in the list, not the
--value in the reference (which is a group number).
-+This function has been extended to cope with forward references for recursions
-+and subroutine calls. It must check the list of such references for the
-+group we are dealing with. If it finds that one of the recursions in the
-+current group is on this list, it does not adjust the value in the reference
-+(which is a group number). After the group has been scanned, all the offsets in
-+the forward reference list for the group are adjusted.
-
- Arguments:
- group points to the start of the group
-@@ -4005,29 +4006,21 @@ static void
- adjust_recurse(pcre_uchar *group, int adjust, BOOL utf, compile_data *cd,
- size_t save_hwm_offset)
- {
-+int offset;
-+pcre_uchar *hc;
- pcre_uchar *ptr = group;
-
- while ((ptr = (pcre_uchar *)find_recurse(ptr, utf)) != NULL)
- {
-- int offset;
-- pcre_uchar *hc;
--
-- /* See if this recursion is on the forward reference list. If so, adjust the
-- reference. */
--
- for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
- hc += LINK_SIZE)
- {
- offset = (int)GET(hc, 0);
-- if (cd->start_code + offset == ptr + 1)
-- {
-- PUT(hc, 0, offset + adjust);
-- break;
-- }
-+ if (cd->start_code + offset == ptr + 1) break;
- }
-
-- /* Otherwise, adjust the recursion offset if it's after the start of this
-- group. */
-+ /* If we have not found this recursion on the forward reference list, adjust
-+ the recursion's offset if it's after the start of this group. */
-
- if (hc >= cd->hwm)
- {
-@@ -4037,6 +4030,15 @@ while ((ptr = (pcre_uchar *)find_recurse
-
- ptr += 1 + LINK_SIZE;
- }
-+
-+/* Now adjust all forward reference offsets for the group. */
-+
-+for (hc = (pcre_uchar *)cd->start_workspace + save_hwm_offset; hc < cd->hwm;
-+ hc += LINK_SIZE)
-+ {
-+ offset = (int)GET(hc, 0);
-+ PUT(hc, 0, offset + adjust);
-+ }
- }
-
-
-@@ -4465,7 +4467,7 @@ const pcre_uchar *tempptr;
- const pcre_uchar *nestptr = NULL;
- pcre_uchar *previous = NULL;
- pcre_uchar *previous_callout = NULL;
--size_t save_hwm_offset = 0;
-+size_t item_hwm_offset = 0;
- pcre_uint8 classbits[32];
-
- /* We can fish out the UTF-8 setting once and for all into a BOOL, but we
-@@ -4767,6 +4769,7 @@ for (;; ptr++)
- zeroreqchar = reqchar;
- zeroreqcharflags = reqcharflags;
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- *code++ = ((options & PCRE_DOTALL) != 0)? OP_ALLANY: OP_ANY;
- break;
-
-@@ -4818,6 +4821,7 @@ for (;; ptr++)
- /* Handle a real character class. */
-
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
-
- /* PCRE supports POSIX class stuff inside a class. Perl gives an error if
- they are encountered at the top level, so we'll do that too. */
-@@ -5930,7 +5934,7 @@ for (;; ptr++)
- {
- register int i;
- int len = (int)(code - previous);
-- size_t base_hwm_offset = save_hwm_offset;
-+ size_t base_hwm_offset = item_hwm_offset;
- pcre_uchar *bralink = NULL;
- pcre_uchar *brazeroptr = NULL;
-
-@@ -5985,7 +5989,7 @@ for (;; ptr++)
- if (repeat_max <= 1) /* Covers 0, 1, and unlimited */
- {
- *code = OP_END;
-- adjust_recurse(previous, 1, utf, cd, save_hwm_offset);
-+ adjust_recurse(previous, 1, utf, cd, item_hwm_offset);
- memmove(previous + 1, previous, IN_UCHARS(len));
- code++;
- if (repeat_max == 0)
-@@ -6009,7 +6013,7 @@ for (;; ptr++)
- {
- int offset;
- *code = OP_END;
-- adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, save_hwm_offset);
-+ adjust_recurse(previous, 2 + LINK_SIZE, utf, cd, item_hwm_offset);
- memmove(previous + 2 + LINK_SIZE, previous, IN_UCHARS(len));
- code += 2 + LINK_SIZE;
- *previous++ = OP_BRAZERO + repeat_type;
-@@ -6267,7 +6271,7 @@ for (;; ptr++)
- {
- int nlen = (int)(code - bracode);
- *code = OP_END;
-- adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
-+ adjust_recurse(bracode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
- memmove(bracode + 1 + LINK_SIZE, bracode, IN_UCHARS(nlen));
- code += 1 + LINK_SIZE;
- nlen += 1 + LINK_SIZE;
-@@ -6401,7 +6405,7 @@ for (;; ptr++)
- else
- {
- *code = OP_END;
-- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
-+ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
- memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
- code += 1 + LINK_SIZE;
- len += 1 + LINK_SIZE;
-@@ -6450,7 +6454,7 @@ for (;; ptr++)
-
- default:
- *code = OP_END;
-- adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, save_hwm_offset);
-+ adjust_recurse(tempcode, 1 + LINK_SIZE, utf, cd, item_hwm_offset);
- memmove(tempcode + 1 + LINK_SIZE, tempcode, IN_UCHARS(len));
- code += 1 + LINK_SIZE;
- len += 1 + LINK_SIZE;
-@@ -6623,7 +6627,7 @@ for (;; ptr++)
- newoptions = options;
- skipbytes = 0;
- bravalue = OP_CBRA;
-- save_hwm_offset = cd->hwm - cd->start_workspace;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- reset_bracount = FALSE;
-
- /* Deal with the extended parentheses; all are introduced by '?', and the
-@@ -6769,7 +6773,7 @@ for (;; ptr++)
- ptr++;
- }
- namelen = (int)(ptr - name);
-- if (lengthptr != NULL) *lengthptr += IMM2_SIZE;
-+ if (lengthptr != NULL) skipbytes += IMM2_SIZE;
- }
-
- /* Check the terminator */
-@@ -7173,14 +7177,26 @@ for (;; ptr++)
- number. If the name is not found, set the value to 0 for a forward
- reference. */
-
-+ recno = 0;
- ng = cd->named_groups;
- for (i = 0; i < cd->names_found; i++, ng++)
- {
- if (namelen == ng->length &&
- STRNCMP_UC_UC(name, ng->name, namelen) == 0)
-- break;
-+ {
-+ open_capitem *oc;
-+ recno = ng->number;
-+ if (is_recurse) break;
-+ for (oc = cd->open_caps; oc != NULL; oc = oc->next)
-+ {
-+ if (oc->number == recno)
-+ {
-+ oc->flag = TRUE;
-+ break;
-+ }
-+ }
-+ }
- }
-- recno = (i < cd->names_found)? ng->number : 0;
-
- /* Count named back references. */
-
-@@ -7247,6 +7263,7 @@ for (;; ptr++)
- {
- if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- *code++ = ((options & PCRE_CASELESS) != 0)? OP_DNREFI : OP_DNREF;
- PUT2INC(code, 0, index);
- PUT2INC(code, 0, count);
-@@ -7360,6 +7377,7 @@ for (;; ptr++)
- HANDLE_RECURSION:
-
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- called = cd->start_code;
-
- /* When we are actually compiling, find the bracket that is being
-@@ -7561,7 +7579,11 @@ for (;; ptr++)
- previous = NULL;
- cd->iscondassert = FALSE;
- }
-- else previous = code;
-+ else
-+ {
-+ previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
-+ }
-
- *code = bravalue;
- tempcode = code;
-@@ -7809,7 +7831,7 @@ for (;; ptr++)
- const pcre_uchar *p;
- pcre_uint32 cf;
-
-- save_hwm_offset = cd->hwm - cd->start_workspace; /* Normally this is set when '(' is read */
-+ item_hwm_offset = cd->hwm - cd->start_workspace; /* Normally this is set when '(' is read */
- terminator = (*(++ptr) == CHAR_LESS_THAN_SIGN)?
- CHAR_GREATER_THAN_SIGN : CHAR_APOSTROPHE;
-
-@@ -7877,6 +7899,7 @@ for (;; ptr++)
- HANDLE_REFERENCE:
- if (firstcharflags == REQ_UNSET) firstcharflags = REQ_NONE;
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- *code++ = ((options & PCRE_CASELESS) != 0)? OP_REFI : OP_REF;
- PUT2INC(code, 0, recno);
- cd->backref_map |= (recno < 32)? (1 << recno) : 1;
-@@ -7906,6 +7929,7 @@ for (;; ptr++)
- if (!get_ucp(&ptr, &negated, &ptype, &pdata, errorcodeptr))
- goto FAILED;
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- *code++ = ((escape == ESC_p) != negated)? OP_PROP : OP_NOTPROP;
- *code++ = ptype;
- *code++ = pdata;
-@@ -7946,6 +7970,7 @@ for (;; ptr++)
-
- {
- previous = (escape > ESC_b && escape < ESC_Z)? code : NULL;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
- *code++ = (!utf && escape == ESC_C)? OP_ALLANY : escape;
- }
- }
-@@ -7989,6 +8014,7 @@ for (;; ptr++)
-
- ONE_CHAR:
- previous = code;
-+ item_hwm_offset = cd->hwm - cd->start_workspace;
-
- /* For caseless UTF-8 mode when UCP support is available, check whether
- this character has more than one other case. If so, generate a special
---- pcre-8.37-orig/testdata/testinput11 2015-03-02 09:08:42.000000000 -0800
-+++ pcre-8.37/testdata/testinput11 2015-06-18 14:07:11.883240591 -0700
-@@ -136,4 +136,6 @@ is required for these tests. --/
-
- /((?+1)(\1))/B
-
-+/.((?2)(?R)\1)()/B
-+
- /-- End of testinput11 --/
---- pcre-8.37-orig/testdata/testinput2 2015-04-13 02:36:15.000000000 -0700
-+++ pcre-8.37/testdata/testinput2 2015-06-18 14:13:30.706283638 -0700
-@@ -4152,4 +4152,20 @@ backtracking verbs. --/
-
- /((?2){73}(?2))((?1))/
-
-+/.((?2)(?R)\1)()/BZ
-+
-+/(?1)()((((((\1++))\x85)+)|))/
-+
-+/(\9*+(?2);\3++()2|)++{/
-+
-+/\V\x85\9*+((?2)\3++()2)*:2/
-+
-+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
-+
-+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
-+
-+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
-+
-+"(?J)(?'d'(?'d'\g{d}))"
-+
- /-- End of testinput2 --/
---- pcre-8.37-orig/testdata/testoutput11-16 2015-03-02 09:09:21.000000000 -0800
-+++ pcre-8.37/testdata/testoutput11-16 2015-06-18 14:09:10.358550764 -0700
-@@ -748,4 +748,21 @@ Memory allocation (code space): 14
- 22 End
- ------------------------------------------------------------------
-
-+/.((?2)(?R)\1)()/B
-+------------------------------------------------------------------
-+ 0 23 Bra
-+ 2 Any
-+ 3 13 Once
-+ 5 9 CBra 1
-+ 8 18 Recurse
-+ 10 0 Recurse
-+ 12 \1
-+ 14 9 Ket
-+ 16 13 Ket
-+ 18 3 CBra 2
-+ 21 3 Ket
-+ 23 23 Ket
-+ 25 End
-+------------------------------------------------------------------
-+
- /-- End of testinput11 --/
---- pcre-8.37-orig/testdata/testoutput11-32 2015-03-02 09:09:30.000000000 -0800
-+++ pcre-8.37/testdata/testoutput11-32 2015-06-18 14:10:09.893600910 -0700
-@@ -748,4 +748,21 @@ Memory allocation (code space): 28
- 22 End
- ------------------------------------------------------------------
-
-+/.((?2)(?R)\1)()/B
-+------------------------------------------------------------------
-+ 0 23 Bra
-+ 2 Any
-+ 3 13 Once
-+ 5 9 CBra 1
-+ 8 18 Recurse
-+ 10 0 Recurse
-+ 12 \1
-+ 14 9 Ket
-+ 16 13 Ket
-+ 18 3 CBra 2
-+ 21 3 Ket
-+ 23 23 Ket
-+ 25 End
-+------------------------------------------------------------------
-+
- /-- End of testinput11 --/
---- pcre-8.37-orig/testdata/testoutput11-8 2015-03-02 09:09:13.000000000 -0800
-+++ pcre-8.37/testdata/testoutput11-8 2015-06-18 14:11:19.765400848 -0700
-@@ -748,4 +748,21 @@ Memory allocation (code space): 10
- 34 End
- ------------------------------------------------------------------
-
-+/.((?2)(?R)\1)()/B
-+------------------------------------------------------------------
-+ 0 35 Bra
-+ 3 Any
-+ 4 20 Once
-+ 7 14 CBra 1
-+ 12 27 Recurse
-+ 15 0 Recurse
-+ 18 \1
-+ 21 14 Ket
-+ 24 20 Ket
-+ 27 5 CBra 2
-+ 32 5 Ket
-+ 35 35 Ket
-+ 38 End
-+------------------------------------------------------------------
-+
- /-- End of testinput11 --/
---- pcre-8.37-orig/testdata/testoutput2 2015-04-13 02:36:27.000000000 -0700
-+++ pcre-8.37/testdata/testoutput2 2015-06-18 14:15:05.747984099 -0700
-@@ -14423,4 +14423,37 @@ Failed: lookbehind assertion is not fixe
-
- /((?2){73}(?2))((?1))/
-
-+/.((?2)(?R)\1)()/BZ
-+------------------------------------------------------------------
-+ Bra
-+ Any
-+ Once
-+ CBra 1
-+ Recurse
-+ Recurse
-+ \1
-+ Ket
-+ Ket
-+ CBra 2
-+ Ket
-+ Ket
-+ End
-+------------------------------------------------------------------
-+
-+/(?1)()((((((\1++))\x85)+)|))/
-+
-+/(\9*+(?2);\3++()2|)++{/
-+Failed: reference to non-existent subpattern at offset 22
-+
-+/\V\x85\9*+((?2)\3++()2)*:2/
-+Failed: reference to non-existent subpattern at offset 26
-+
-+/(((?(R)){0,2}) (?''((?'R')((?'R')))))/J
-+
-+/(((?(X)){0,2}) (?''((?'X')((?'X')))))/J
-+
-+/(((?(R)){0,2}) (?''((?'X')((?'R')))))/
-+
-+"(?J)(?'d'(?'d'\g{d}))"
-+
- /-- End of testinput2 --/