From b7537308b7c758f33c347cb0bec62754c43c271f Mon Sep 17 00:00:00 2001
From: ph10 <ph10@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Sat, 27 Feb 2016 17:38:11 +0000
Subject: [PATCH] Yet another duplicate name bugfix by overestimating the
 memory needed (i.e. another hack - PCRE2 has this "properly" fixed).

git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1636 2f5784b3-3f2a-0410-8824-cb99058d5e15
---
 ChangeLog            | 7 +++++++
 pcre_compile.c       | 7 ++++++-
 testdata/testinput2  | 2 ++
 testdata/testoutput2 | 2 ++
 4 files changed, 17 insertions(+), 1 deletion(-)

14. And yet another buffer overflow bug involving duplicate named groups, this
    time nested, with a nested back reference. Yet again, I have just allowed
    for more memory, because anything more needs all the refactoring that has
    been done for PCRE2. An example pattern that provoked this bug is:
    /((?J)(?'R'(?'R'(?'R'(?'R'(?'R'(?|(\k'R'))))))))/ and the bug was
    registered as CVE-2016-1283.

diff --git a/pcre_compile.c b/pcre_compile.c
index 5019854..4ffea0c 100644
--- a/pcre_compile.c
+++ b/pcre_compile.c
@@ -7311,7 +7311,12 @@ for (;; ptr++)
           so far in order to get the number. If the name is not found, leave
           the value of recno as 0 for a forward reference. */
 
-          else
+          /* This patch (removing "else") fixes a problem when a reference is
+          to multiple identically named nested groups from within the nest.
+          Once again, it is not the "proper" fix, and it results in an
+          over-allocation of memory. */
+
+          /* else */
             {
             ng = cd->named_groups;
             for (i = 0; i < cd->names_found; i++, ng++)
-- 
2.7.4