Fix reading an uninitialized memory when populating a name table

2020-10-19 16:22:47 +02:00 · 2020-10-19 16:22:47 +02:00 · 25c98b9ed0
commit 25c98b9ed0
parent 601f55c979
2 changed files with 53 additions and 1 deletions
--- a/pcre-8.44-Inicialize-name-table-memory-region.patch
+++ b/pcre-8.44-Inicialize-name-table-memory-region.patch
@ -0,0 +1,44 @@
 From f0bb9e8baf3157e0a84f484f194984295b2db23a Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
 Date: Mon, 19 Oct 2020 16:15:14 +0200
 Subject: [PATCH] Inicialize name table memory region
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Name table entry values are accessed past their ends in add_name()
 when comparing the values. Also a size of the entries could grow
 later. It's safer to initialize just after the allocation than to hunt
 the gaps later.
 Reproducer:
 pcre_compile2("(?<f>)(?<fir>)", PCRE_NO_AUTO_CAPTURE | PCRE_CASELESS, &ec, &eb, &eo, NULL);
 built with clang++ -fsanitize=memory -fsanitize=fuzzer-no-link.
 https://bugs.exim.org/show_bug.cgi?id=2661
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 pcre_compile.c | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/pcre_compile.c b/pcre_compile.c
 index 3be0fbf..75309e0 100644
 --- a/pcre_compile.c
 +++ b/pcre_compile.c
@@ -9423,6 +9423,11 @@ if (re == NULL)
   goto PCRE_EARLY_ERROR_RETURN;
   }
 +/* Initialize the memory. Name table entry values are accessed past their ends
 + * (e.g. in add_name()) when comparing the values. Also a size of the entry can
 + * grow later. It's safer to initialize here than to hunt the gaps later. */
 +memset(re, 0, size);
 +
 /* Put in the magic number, and save the sizes, initial options, internal
 flags, and character table pointer. NULL is used for the default character
 tables. The nullpad field is at the end; it's there to help in the case when a
 -- 
 2.25.4
--- a/pcre.spec
+++ b/pcre.spec
@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name:       pcre
 Version:    8.44
-Release:    %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}.1
+Release:    %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}
 %global myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 ## Source package only:
@ -42,6 +42,9 @@ Patch2:     pcre-8.41-fix_stack_estimator.patch
 # This amends ABI, application built with this patch cannot run with
 # previous libpcreposix builds.
 Patch3:     pcre-8.42-Declare-POSIX-regex-function-names-as-macros-to-PCRE.patch
 # Fix reading an uninitialized memory when populating a name table,
 # upstream bug #2661, proposed to the upstream
 Patch4:     pcre-8.44-Inicialize-name-table-memory-region.patch
 BuildRequires:  readline-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -129,6 +132,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch1 -p1
 %patch2 -p2
 %patch3 -p1
 %patch4 -p1
 # Because of the multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -221,6 +225,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcretest.*
 %changelog
 * Mon Oct 19 2020 Petr Pisar <ppisar@redhat.com> - 8.44-2
 - Fix reading an uninitialized memory when populating a name table
  (upstream bug #2661)
 * Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 8.44-1.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild