From 25c98b9ed0137a5752bcb61cc9a59f7eac3f287b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 19 Oct 2020 16:22:47 +0200 Subject: [PATCH] Fix reading an uninitialized memory when populating a name table --- ...-Inicialize-name-table-memory-region.patch | 44 +++++++++++++++++++ pcre.spec | 10 ++++- 2 files changed, 53 insertions(+), 1 deletion(-) create mode 100644 pcre-8.44-Inicialize-name-table-memory-region.patch diff --git a/pcre-8.44-Inicialize-name-table-memory-region.patch b/pcre-8.44-Inicialize-name-table-memory-region.patch new file mode 100644 index 0000000..747ac05 --- /dev/null +++ b/pcre-8.44-Inicialize-name-table-memory-region.patch @@ -0,0 +1,44 @@ +From f0bb9e8baf3157e0a84f484f194984295b2db23a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= +Date: Mon, 19 Oct 2020 16:15:14 +0200 +Subject: [PATCH] Inicialize name table memory region +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Name table entry values are accessed past their ends in add_name() +when comparing the values. Also a size of the entries could grow +later. It's safer to initialize just after the allocation than to hunt +the gaps later. + +Reproducer: + +pcre_compile2("(?)(?)", PCRE_NO_AUTO_CAPTURE | PCRE_CASELESS, &ec, &eb, &eo, NULL); + +built with clang++ -fsanitize=memory -fsanitize=fuzzer-no-link. + +https://bugs.exim.org/show_bug.cgi?id=2661 +Signed-off-by: Petr Písař +--- + pcre_compile.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/pcre_compile.c b/pcre_compile.c +index 3be0fbf..75309e0 100644 +--- a/pcre_compile.c ++++ b/pcre_compile.c +@@ -9423,6 +9423,11 @@ if (re == NULL) + goto PCRE_EARLY_ERROR_RETURN; + } + ++/* Initialize the memory. Name table entry values are accessed past their ends ++ * (e.g. in add_name()) when comparing the values. Also a size of the entry can ++ * grow later. It's safer to initialize here than to hunt the gaps later. */ ++memset(re, 0, size); ++ + /* Put in the magic number, and save the sizes, initial options, internal + flags, and character table pointer. NULL is used for the default character + tables. The nullpad field is at the end; it's there to help in the case when a +-- +2.25.4 + diff --git a/pcre.spec b/pcre.spec index a727616..a9025ae 100644 --- a/pcre.spec +++ b/pcre.spec @@ -2,7 +2,7 @@ #%%global rcversion RC1 Name: pcre Version: 8.44 -Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}.1 +Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library ## Source package only: @@ -42,6 +42,9 @@ Patch2: pcre-8.41-fix_stack_estimator.patch # This amends ABI, application built with this patch cannot run with # previous libpcreposix builds. Patch3: pcre-8.42-Declare-POSIX-regex-function-names-as-macros-to-PCRE.patch +# Fix reading an uninitialized memory when populating a name table, +# upstream bug #2661, proposed to the upstream +Patch4: pcre-8.44-Inicialize-name-table-memory-region.patch BuildRequires: readline-devel BuildRequires: autoconf BuildRequires: automake @@ -129,6 +132,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest. %patch1 -p1 %patch2 -p2 %patch3 -p1 +%patch4 -p1 # Because of the multilib patch libtoolize --copy --force autoreconf -vif @@ -221,6 +225,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcretest.* %changelog +* Mon Oct 19 2020 Petr Pisar - 8.44-2 +- Fix reading an uninitialized memory when populating a name table + (upstream bug #2661) + * Tue Jul 28 2020 Fedora Release Engineering - 8.44-1.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild