head	1.4;
access;
symbols
	pkgsrc-2013Q2:1.4.0.14
	pkgsrc-2013Q2-base:1.4
	pkgsrc-2012Q4:1.4.0.12
	pkgsrc-2012Q4-base:1.4
	pkgsrc-2011Q4:1.4.0.10
	pkgsrc-2011Q4-base:1.4
	pkgsrc-2011Q2:1.4.0.8
	pkgsrc-2011Q2-base:1.4
	pkgsrc-2009Q4:1.4.0.6
	pkgsrc-2009Q4-base:1.4
	pkgsrc-2008Q4:1.4.0.4
	pkgsrc-2008Q4-base:1.4
	pkgsrc-2008Q3:1.4.0.2
	pkgsrc-2008Q3-base:1.4
	cube-native-xorg:1.3.0.6
	cube-native-xorg-base:1.3
	pkgsrc-2008Q2:1.3.0.4
	pkgsrc-2008Q2-base:1.3
	cwrapper:1.3.0.2;
locks; strict;
comment	@# @;


1.4
date	2008.09.13.16.14.13;	author jmmv;	state dead;
branches;
next	1.3;

1.3
date	2008.05.01.09.23.49;	author jmmv;	state Exp;
branches;
next	1.2;

1.2
date	2008.04.30.07.13.26;	author jmmv;	state Exp;
branches;
next	1.1;

1.1
date	2008.04.28.21.35.25;	author jmmv;	state Exp;
branches;
next	;


desc
@@


1.4
log
@Update boost to 1.36.0.  Way too many changes since 1.34 to be listed
here.  Based on patches sent by Brook Milligan through private mail
with some minimal changes by me to fix boost-python and builds on
Mac OS X.  Tested on NetBSD/amd64 current and Tiger.
@
text
@$NetBSD: patch-r42674,v 1.3 2008/05/01 09:23:49 jmmv Exp $

Fix for CVE-2008-0171.  Patch from Boost's svn repository, r42674.

--- boost/regex/v4/basic_regex_parser.hpp (revision 38864)
+++ boost/regex/v4/basic_regex_parser.hpp (revision 42674)
@@@@ -785,4 +785,5 @@@@
       case syntax_element_jump:
       case syntax_element_startmark:
+      case syntax_element_backstep:
          // can't legally repeat any of the above:
          fail(regex_constants::error_badrepeat, m_position - m_base);
@@@@ -1870,4 +1871,5 @@@@
    {
       re_syntax_base* b = this->getaddress(expected_alt_point);
+      // Make sure we have exactly one alternative following this state:
       if(b->type != syntax_element_alt)
       {
@@@@ -1878,4 +1880,13 @@@@
       {
          fail(regex_constants::error_bad_pattern, m_position - m_base);
+         return false;
+      }
+      // check for invalid repetition of next state:
+      b = this->getaddress(expected_alt_point);
+      b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);
+      if((b->type != syntax_element_assert_backref)
+         && (b->type != syntax_element_startmark))
+      {
+         fail(regex_constants::error_badrepeat, m_position - m_base);
          return false;
       }
--- libs/regex/test/regress/test_perl_ex.cpp (revision 30980)
+++ libs/regex/test/regress/test_perl_ex.cpp (revision 42674)
@@@@ -122,4 +122,15 @@@@
    TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl);
    TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl);
+
+   TEST_INVALID_REGEX("(?(?!#?)+)", perl);
+   TEST_INVALID_REGEX("(?(?=:-){0})", perl);
+   TEST_INVALID_REGEX("(?(123){1})", perl);
+   TEST_INVALID_REGEX("(?(?<=A)*)", perl);
+   TEST_INVALID_REGEX("(?(?<=A)+)", perl);
+
+   TEST_INVALID_REGEX("(?<!*|^)", perl);
+   TEST_INVALID_REGEX("(?<!*|A)", perl);
+   TEST_INVALID_REGEX("(?<=?|A)", perl);
+   TEST_INVALID_REGEX("(?<=*|\B)", perl);
 }
 
@


1.3
log
@Fix patches... again.  At some point they got corrupted and, even though
they applied correctly, broke the build of boost-libs later on.
@
text
@d1 1
a1 1
$NetBSD: patch-r42674,v 1.2 2008/04/30 07:13:26 jmmv Exp $
@


1.2
log
@Fix patches mangled due to bad end line terminators.  Noted by wiz@@.
Looks like OS X's patch did deal with these patches correctly, whereas
NetBSD's one complained.
@
text
@d1 1
a1 1
$NetBSD: patch-r42674,v 1.1 2008/04/28 21:35:25 jmmv Exp $
d5 15
a19 13
--- boost/regex/v4/basic_regex_parser.hpp.orig	2008-04-30 09:00:21.000000000 +0200
+++ boost/regex/v4/basic_regex_parser.hpp	2008-04-30 09:01:13.000000000 +0200
@@@@ -784,6 +784,7 @@@@ bool basic_regex_parser<charT, traits>::
          // do nothing...
          break;
       }
+      case syntax_element_backstep:

       insert_point = this->getoffset(this->m_last_state);
    }
    //
@@@@ -1869,6 +1870,7 @@@@ bool basic_regex_parser<charT, traits>::
       }
       else if(this->getaddress(static_cast<re_alt*>(b)->alt.i, b)->type == syntax_element_alt)
a20 1
+      // Make sure we have exactly one alternative following this state:

d22 9
d33 3
a35 20
@@@@ -1877,6 +1879,15 @@@@ bool basic_regex_parser<charT, traits>::
    // append closing parenthesis state:
    //
    pb = static_cast<re_brace*>(this->append_state(syntax_element_endmark, sizeof(re_brace)));
+         return false;

+      }

+      // check for invalid repetition of next state:

+      b = this->getaddress(expected_alt_point);

+      b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);

+      if((b->type != syntax_element_assert_backref)

+         && (b->type != syntax_element_startmark))

+      {

+         fail(regex_constants::error_badrepeat, m_position - m_base);

    pb->index = markid;
    this->m_paren_start = last_paren_start;
    //
--- libs/regex/test/regress/test_perl_ex.cpp.orig	2008-04-30 09:00:21.000000000 +0200
+++ libs/regex/test/regress/test_perl_ex.cpp	2008-04-30 09:01:13.000000000 +0200
@@@@ -121,6 +121,17 @@@@ void test_conditionals()
    TEST_INVALID_REGEX("(?:(a)|b)(?(?:", perl);
d38 11
a48 11
+

+   TEST_INVALID_REGEX("(?(?!#?)+)", perl);

+   TEST_INVALID_REGEX("(?(?=:-){0})", perl);

+   TEST_INVALID_REGEX("(?(123){1})", perl);

+   TEST_INVALID_REGEX("(?(?<=A)*)", perl);

+   TEST_INVALID_REGEX("(?(?<=A)+)", perl);

+

+   TEST_INVALID_REGEX("(?<!*|^)", perl);

+   TEST_INVALID_REGEX("(?<!*|A)", perl);

+   TEST_INVALID_REGEX("(?<=?|A)", perl);

+   TEST_INVALID_REGEX("(?<=*|\B)", perl);

a50 1
 void test_options()
@


1.1
log
@Apply patches to fix CVE-2008-0171 in boost-headers and boost-libs.
This is a fix for a possible DoS when using Boost.Regex in an application.

Note that the fix goes into a header, so all applications that use
Boost.Regex may be affected by the problem and need to be rebuilt.
@
text
@d1 58
a58 50
$NetBSD$

Fix for CVE-2008-0171.  Patch from Boost's svn repository, r42674.

--- boost/regex/v4/basic_regex_parser.hpp (revision 38864)
+++ boost/regex/v4/basic_regex_parser.hpp (revision 42674)
@@@@ -785,4 +785,5 @@@@
       case syntax_element_jump:
       case syntax_element_startmark:
+      case syntax_element_backstep:
          // can't legally repeat any of the above:
          fail(regex_constants::error_badrepeat, m_position - m_base);
@@@@ -1870,4 +1871,5 @@@@
    {
       re_syntax_base* b = this->getaddress(expected_alt_point);
+      // Make sure we have exactly one alternative following this state:
       if(b->type != syntax_element_alt)
       {
@@@@ -1878,4 +1880,13 @@@@
       {
          fail(regex_constants::error_bad_pattern, m_position - m_base);
+         return false;
+      }
+      // check for invalid repetition of next state:
+      b = this->getaddress(expected_alt_point);
+      b = this->getaddress(static_cast<re_alt*>(b)->next.i, b);
+      if((b->type != syntax_element_assert_backref)
+         && (b->type != syntax_element_startmark))
+      {
+         fail(regex_constants::error_badrepeat, m_position - m_base);
          return false;
       }
--- libs/regex/test/regress/test_perl_ex.cpp (revision 30980)
+++ libs/regex/test/regress/test_perl_ex.cpp (revision 42674)
@@@@ -122,4 +122,15 @@@@
    TEST_INVALID_REGEX("(?:(a)|b)(?(?<", perl);
    TEST_INVALID_REGEX("(?:(a)|b)(?(?<a", perl);
+
+   TEST_INVALID_REGEX("(?(?!#?)+)", perl);
+   TEST_INVALID_REGEX("(?(?=:-){0})", perl);
+   TEST_INVALID_REGEX("(?(123){1})", perl);
+   TEST_INVALID_REGEX("(?(?<=A)*)", perl);
+   TEST_INVALID_REGEX("(?(?<=A)+)", perl);
+
+   TEST_INVALID_REGEX("(?<!*|^)", perl);
+   TEST_INVALID_REGEX("(?<!*|A)", perl);
+   TEST_INVALID_REGEX("(?<=?|A)", perl);
+   TEST_INVALID_REGEX("(?<=*|\B)", perl);
 }
 
@