Fix reading an uninitialized memory when populating a name table

2020-10-19 16:22:47 +02:00 · 2020-10-19 16:22:47 +02:00 · 25c98b9ed0
commit 25c98b9ed0
parent 601f55c979
2 changed files with 53 additions and 1 deletions
--- a/pcre-8.44-Inicialize-name-table-memory-region.patch
+++ b/pcre-8.44-Inicialize-name-table-memory-region.patch
@ -0,0 +1,44 @@
+From f0bb9e8baf3157e0a84f484f194984295b2db23a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Mon, 19 Oct 2020 16:15:14 +0200
+Subject: [PATCH] Inicialize name table memory region
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Name table entry values are accessed past their ends in add_name()
+when comparing the values. Also a size of the entries could grow
+later. It's safer to initialize just after the allocation than to hunt
+the gaps later.
+
+Reproducer:
+
+pcre_compile2("(?<f>)(?<fir>)", PCRE_NO_AUTO_CAPTURE | PCRE_CASELESS, &ec, &eb, &eo, NULL);
+
+built with clang++ -fsanitize=memory -fsanitize=fuzzer-no-link.
+
+https://bugs.exim.org/show_bug.cgi?id=2661
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_compile.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 3be0fbf..75309e0 100644
+--- a/pcre_compile.c
+++ b/pcre_compile.c
+@@ -9423,6 +9423,11 @@ if (re == NULL)
+   goto PCRE_EARLY_ERROR_RETURN;
+   }
+ 
+/* Initialize the memory. Name table entry values are accessed past their ends
+ * (e.g. in add_name()) when comparing the values. Also a size of the entry can
+ * grow later. It's safer to initialize here than to hunt the gaps later. */
+memset(re, 0, size);
+
+ /* Put in the magic number, and save the sizes, initial options, internal
+ flags, and character table pointer. NULL is used for the default character
+ tables. The nullpad field is at the end; it's there to help in the case when a
+-- 
+2.25.4
+
--- a/pcre.spec
+++ b/pcre.spec
@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name:       pcre
 Version:    8.44
-Release:    %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}.1
+Release:    %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}
 %global myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 ## Source package only:
@ -42,6 +42,9 @@ Patch2:     pcre-8.41-fix_stack_estimator.patch
 # This amends ABI, application built with this patch cannot run with
 # previous libpcreposix builds.
 Patch3:     pcre-8.42-Declare-POSIX-regex-function-names-as-macros-to-PCRE.patch
+# Fix reading an uninitialized memory when populating a name table,
+# upstream bug #2661, proposed to the upstream
+Patch4:     pcre-8.44-Inicialize-name-table-memory-region.patch
 BuildRequires:  readline-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -129,6 +132,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch1 -p1
 %patch2 -p2
 %patch3 -p1
+%patch4 -p1
 # Because of the multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -221,6 +225,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcretest.*

 %changelog
+* Mon Oct 19 2020 Petr Pisar <ppisar@redhat.com> - 8.44-2
+- Fix reading an uninitialized memory when populating a name table
+  (upstream bug #2661)
+
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.44-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild