pcre: patch CVE-2016-1283

This fixes CVE-2016-1283, which allows remote attackers to cause
a denial of service (heap-based buffer overflow) or possibly
have unspecified other impact via a crafted regular expression.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1283

2 files changed, 21 insertions, 2 deletions

diff --git a/pkgs/development/libraries/pcre/CVE-2016-1283.patch b/pkgs/development/libraries/pcre/CVE-2016-1283.patch
new file mode 100644
index 000000000000..2c2dad29e929
--- /dev/null
+++ b/pkgs/development/libraries/pcre/CVE-2016-1283.patch
@@ -0,0 +1,18 @@
+Index: pcre_compile.c
+===================================================================
+--- a/pcre_compile.c	(revision 1635)
++++ b/pcre_compile.c	(revision 1636)
+@@ -7311,7 +7311,12 @@
+           so far in order to get the number. If the name is not found, leave
+           the value of recno as 0 for a forward reference. */
+ 
+-          else
++          /* This patch (removing "else") fixes a problem when a reference is
++          to multiple identically named nested groups from within the nest.
++          Once again, it is not the "proper" fix, and it results in an
++          over-allocation of memory. */
++
++          /* else */
+             {
+             ng = cd->named_groups;
+             for (i = 0; i < cd->names_found; i++, ng++)
diff --git a/pkgs/development/libraries/pcre/default.nix b/pkgs/development/libraries/pcre/default.nix
index afeffae3e5fa..5ae79e91b922 100644
--- a/pkgs/development/libraries/pcre/default.nix
+++ b/pkgs/development/libraries/pcre/default.nix
@@ -22,8 +22,9 @@ in stdenv.mkDerivation rec {
     sha256 = "1pvra19ljkr5ky35y2iywjnsckrs9ch2anrf5b0dc91hw8v2vq5r";
   };
 
-  patches =
-    [ ];
+  patches = [
+    ./CVE-2016-1283.patch
+  ];
 
   outputs = [ "out" "doc" "man" ];