From d37658be6c1016fe0965fa9d947ec01eae0c7946 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 28 Sep 2017 15:40:49 +0200
Subject: [PATCH] Apply upstream patch for CVE-2016-1283

Fix bug #75207, see also
https://bugzilla.redhat.com/show_bug.cgi?id=1295385
https://vcs.pcre.org/pcre?view=revision&revision=1636

(cherry picked from commit d11fceab151cd0410645f81eb7444af4388470c3)
---
 ext/pcre/pcrelib/pcre_compile.c |  7 ++++++-
 ext/pcre/tests/bug75207.phpt    | 10 ++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)
 create mode 100644 ext/pcre/tests/bug75207.phpt

diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
index 4d3b3139de..c9171cbee9 100644
--- a/ext/pcre/pcrelib/pcre_compile.c
+++ b/ext/pcre/pcrelib/pcre_compile.c
@@ -7274,7 +7274,12 @@ for (;; ptr++)
           so far in order to get the number. If the name is not found, leave
           the value of recno as 0 for a forward reference. */
 
-          else
+          /* This patch (removing "else") fixes a problem when a reference is
+          to multiple identically named nested groups from within the nest.
+          Once again, it is not the "proper" fix, and it results in an
+          over-allocation of memory. */
+
+          /* else */
             {
             ng = cd->named_groups;
             for (i = 0; i < cd->names_found; i++, ng++)
diff --git a/ext/pcre/tests/bug75207.phpt b/ext/pcre/tests/bug75207.phpt
new file mode 100644
index 0000000000..dea13a44ca
--- /dev/null
+++ b/ext/pcre/tests/bug75207.phpt
@@ -0,0 +1,10 @@
+--TEST--
+CVE-2016-1283, see bug #75207
+--FILE--
+<?php
+preg_match("/š(?:F?+(?:^(?(R)a+\"){99}-))(?J)(?'R'(?'R'<((?'RR'(?'R'\){97)?J)?J)(?'R'(?'R'\){99|(:(?|(?'R')(\k'R')|((?'R')))H'R'R)(H'R))))))/", "*b\dc");
+?>
+==DONE==
+--EXPECTF--
+Warning: preg_match(): Compilation failed: unmatched parentheses at offset %d in %s on line %d
+==DONE==
-- 
2.40.0