aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorErlang/OTP <otp@erlang.org>2010-02-12 09:39:42 +0000
committerErlang/OTP <otp@erlang.org>2010-02-12 09:39:42 +0000
commitb14ca0fae3dcb3add0f5da7b194fdfc2b0e5f7f8 (patch)
treebd7561efb38ace7cbd815d810ff84039bf73f8a4
parent61489ddbe608e1fe7bd2301c55c6446f14e94cd9 (diff)
parentbb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3 (diff)
downloadotp-b14ca0fae3dcb3add0f5da7b194fdfc2b0e5f7f8.tar.gz
otp-b14ca0fae3dcb3add0f5da7b194fdfc2b0e5f7f8.tar.bz2
otp-b14ca0fae3dcb3add0f5da7b194fdfc2b0e5f7f8.zip
Merge branch 'ms/pcre-security' into ccase/r13b04_dev
* ms/pcre-security: Fix CVE-2008-2371 (outer level option with alternatives caused crash). OTP-8438 The re module: A regular expression with an option change at the start of a pattern that had top-level alternatives could cause overwriting and/or a crash. (Thanks to Michael Santos.)
-rw-r--r--erts/emulator/pcre/pcre_compile.c21
-rw-r--r--lib/stdlib/test/re_SUITE.erl10
2 files changed, 17 insertions, 14 deletions
diff --git a/erts/emulator/pcre/pcre_compile.c b/erts/emulator/pcre/pcre_compile.c
index 235617fc06..29743362d4 100644
--- a/erts/emulator/pcre/pcre_compile.c
+++ b/erts/emulator/pcre/pcre_compile.c
@@ -4820,10 +4820,8 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
both phases.
If we are not at the pattern start, compile code to change the ims
- options if this setting actually changes any of them. We also pass the
- new setting back so that it can be put at the start of any following
- branches, and when this group ends (if we are in a group), a resetting
- item can be compiled. */
+ options if this setting actually changes any of them, and reset the
+ greedy defaults and the case value for firstbyte and reqbyte. */
if (*ptr == ')')
{
@@ -4831,7 +4829,6 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
(lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE))
{
cd->external_options = newoptions;
- options = newoptions;
}
else
{
@@ -4840,17 +4837,17 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */
*code++ = OP_OPT;
*code++ = newoptions & PCRE_IMS;
}
-
- /* Change options at this level, and pass them back for use
- in subsequent branches. Reset the greedy defaults and the case
- value for firstbyte and reqbyte. */
-
- *optionsptr = options = newoptions;
greedy_default = ((newoptions & PCRE_UNGREEDY) != 0);
greedy_non_default = greedy_default ^ 1;
- req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
+ req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0;
}
+ /* Change options at this level, and pass them back for use
+ in subsequent branches. When not at the start of the pattern, this
+ information is also necessary so that a resetting item can be
+ compiled at the end of a group (if we are in a group). */
+
+ *optionsptr = options = newoptions;
previous = NULL; /* This item can't be repeated */
continue; /* It is complete */
}
diff --git a/lib/stdlib/test/re_SUITE.erl b/lib/stdlib/test/re_SUITE.erl
index fa50ba3b7a..02683f9f1a 100644
--- a/lib/stdlib/test/re_SUITE.erl
+++ b/lib/stdlib/test/re_SUITE.erl
@@ -18,12 +18,12 @@
%%
-module(re_SUITE).
--export([all/1, pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types/1,replace_return/1,split_autogen/1,split_options/1,split_specials/1,error_handling/1]).
+-export([all/1, pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types/1,replace_return/1,split_autogen/1,split_options/1,split_specials/1,error_handling/1,pcre_cve_2008_2371/1]).
-include("test_server.hrl").
-include_lib("kernel/include/file.hrl").
-all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_return,split_autogen,split_options,split_specials,error_handling].
+all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_return,split_autogen,split_options,split_specials,error_handling,pcre_cve_2008_2371].
pcre(doc) ->
["Run all applicable tests from the PCRE testsuites."];
@@ -538,3 +538,9 @@ error_handling(Config) when is_list(Config) ->
?t:timetrap_cancel(Dog),
ok.
+pcre_cve_2008_2371(doc) ->
+ "Fix as in http://vcs.pcre.org/viewvc?revision=360&view=revision";
+pcre_cve_2008_2371(Config) when is_list(Config) ->
+ %% Make sure it doesn't crash the emulator.
+ re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]),
+ ok.