From 25b56008b2b00613b6c716804daf94c2f8783461 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 28 Jan 2013 09:59:14 +0100 Subject: [PATCH] Fix buffer over-read in UTF-16 and UTF-32 modes with JIT --- ...ver-read-issues-in-16-and-32-bit-mod.patch | 107 ++++++++++++++++++ pcre.spec | 4 + 2 files changed, 111 insertions(+) create mode 100644 pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch diff --git a/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch b/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch new file mode 100644 index 0000000..39f1a54 --- /dev/null +++ b/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch @@ -0,0 +1,107 @@ +From be692806851f4883b87fc814adc80ab1bb46455e Mon Sep 17 00:00:00 2001 +From: zherczeg +Date: Sat, 26 Jan 2013 17:51:43 +0000 +Subject: [PATCH] Fix two buffer over read issues in 16 and 32 bit modes. + Affects JIT only. + +git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1242 2f5784b3-3f2a-0410-8824-cb99058d5e15 + +Petr Pisar: Ported to 8.32. + +diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c +index 3b83340..7dfe558 100644 +--- a/pcre_jit_compile.c ++++ b/pcre_jit_compile.c +@@ -2696,10 +2696,10 @@ if (firstline) + { + SLJIT_ASSERT(common->first_line_end != 0); + OP1(SLJIT_MOV, TMP3, 0, STR_END, 0); +- OP2(SLJIT_SUB, STR_END, 0, SLJIT_MEM1(SLJIT_LOCALS_REG), common->first_line_end, SLJIT_IMM, (location >> 1) - 1); ++ OP2(SLJIT_SUB, STR_END, 0, SLJIT_MEM1(SLJIT_LOCALS_REG), common->first_line_end, SLJIT_IMM, IN_UCHARS((location >> 1) - 1)); + } + else +- OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, (location >> 1) - 1); ++ OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS((location >> 1) - 1)); + + start = LABEL(); + quit = CMP(SLJIT_C_GREATER_EQUAL, STR_PTR, 0, STR_END, 0); +@@ -2728,7 +2728,7 @@ JUMPHERE(quit); + if (firstline) + OP1(SLJIT_MOV, STR_END, 0, TMP3, 0); + else +- OP2(SLJIT_ADD, STR_END, 0, STR_END, 0, SLJIT_IMM, (location >> 1) - 1); ++ OP2(SLJIT_ADD, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS((location >> 1) - 1)); + return TRUE; + } + +@@ -3577,7 +3577,7 @@ do + #endif + + context->length -= IN_UCHARS(1); +-#if defined SLJIT_UNALIGNED && SLJIT_UNALIGNED ++#if (defined SLJIT_UNALIGNED && SLJIT_UNALIGNED) && (defined COMPILE_PCRE8 || defined COMPILE_PCRE16) + + /* Unaligned read is supported. */ + if (othercasebit != 0 && othercasechar == cc) +@@ -3594,27 +3594,18 @@ do + + #if defined COMPILE_PCRE8 + if (context->ucharptr >= 4 || context->length == 0 || (context->ucharptr == 2 && context->length == 1)) +-#elif defined COMPILE_PCRE16 ++#else + if (context->ucharptr >= 2 || context->length == 0) +-#elif defined COMPILE_PCRE32 +- if (1 /* context->ucharptr >= 1 || context->length == 0 */) + #endif + { +-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16 + if (context->length >= 4) + OP1(SLJIT_MOV_SI, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); +-#if defined COMPILE_PCRE8 + else if (context->length >= 2) + OP1(SLJIT_MOV_UH, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); ++#if defined COMPILE_PCRE8 + else if (context->length >= 1) + OP1(SLJIT_MOV_UB, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); +-#elif defined COMPILE_PCRE16 +- else if (context->length >= 2) +- OP1(SLJIT_MOV_UH, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); +-#endif /* COMPILE_PCRE[8|16] */ +-#elif defined COMPILE_PCRE32 +- OP1(MOV_UCHAR, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); +-#endif /* COMPILE_PCRE[8|16|32] */ ++#endif /* COMPILE_PCRE8 */ + context->sourcereg = context->sourcereg == TMP1 ? TMP2 : TMP1; + + switch(context->ucharptr) +@@ -3625,7 +3616,6 @@ do + add_jump(compiler, backtracks, CMP(SLJIT_C_NOT_EQUAL, context->sourcereg, 0, SLJIT_IMM, context->c.asint | context->oc.asint)); + break; + +-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16 + case 2 / sizeof(pcre_uchar): + if (context->oc.asushort != 0) + OP2(SLJIT_OR, context->sourcereg, 0, context->sourcereg, 0, SLJIT_IMM, context->oc.asushort); +@@ -3640,8 +3630,6 @@ do + break; + #endif + +-#endif /* COMPILE_PCRE[8|16] */ +- + default: + SLJIT_ASSERT_STOP(); + break; +@@ -3651,8 +3639,8 @@ do + + #else + +- /* Unaligned read is unsupported. */ +- if (context->length > 0) ++ /* Unaligned read is unsupported or in 32 bit mode. */ ++ if (context->length >= 1) + OP1(MOV_UCHAR, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length); + + context->sourcereg = context->sourcereg == TMP1 ? TMP2 : TMP1; +-- +1.8.1 + diff --git a/pcre.spec b/pcre.spec index b50fa9f..89a56ca 100644 --- a/pcre.spec +++ b/pcre.spec @@ -15,6 +15,8 @@ Patch0: pcre-8.21-multilib.patch Patch1: pcre-8.32-refused_spelling_terminated.patch # In upstream after 8.32 Patch2: pcre-8.32-Fix-forward-search-in-JIT-when-link-size-is-3-or-gre.patch +# In upstream after 8.32 +Patch3: pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch BuildRequires: readline-devel # New libtool to get rid of rpath BuildRequires: autoconf, automake, libtool @@ -57,6 +59,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch0 -p1 -b .multilib %patch1 -p1 -b .terminated_typos %patch2 -p1 -b .forward_jit +%patch3 -p1 -b .buffer_over_read # Because of rpath patch libtoolize --copy --force && autoreconf -vif # One contributor's name is non-UTF-8 @@ -122,6 +125,7 @@ make check %changelog * Mon Jan 28 2013 Petr Pisar - 8.32-4 - Fix forward search in JIT when link size is 3 or greater +- Fix buffer over-read in UTF-16 and UTF-32 modes with JIT * Fri Jan 25 2013 Peter Robinson 8.32-3 - Adjust autoreconf to fix FTBFS on F-19