Fix infinite matching PRUNE (bug #735720)

2011-09-06 18:07:12 +02:00 · 2011-09-06 18:07:12 +02:00 · 584e50ee6c
commit 584e50ee6c
parent fcc2c60a31
2 changed files with 124 additions and 1 deletions
--- a/pcre-8.13-infinite_prune.patch
+++ b/pcre-8.13-infinite_prune.patch
@ -0,0 +1,115 @@
+r680 | ph10 | 2011-09-06 11:15:54 +0200 (Út, 06 zář 2011) | 2 lines
+
+Fix small return value bug.
+
+Index: pcre_dfa_exec.c
+===================================================================
+--- pcre_dfa_exec.c     (revision 679)
+++ pcre_dfa_exec.c     (revision 680)
+@@ -768,7 +768,7 @@
+                 current_subject > start_subject + md->start_offset)))
+           {
+           if (match_count < 0) match_count = (offsetcount >= 2)? 1 : 0;
+-            else if (match_count > 0 && ++match_count * 2 >= offsetcount)
+            else if (match_count > 0 && ++match_count * 2 > offsetcount)
+               match_count = 0;
+           count = ((match_count == 0)? offsetcount : match_count * 2) - 2;
+           if (count > 0) memmove(offsets + 2, offsets, count * sizeof(int));
+
+
+r681 | ph10 | 2011-09-06 11:16:32 +0200 (Út, 06 zář 2011) | 2 lines
+
+Fix loop/bad error when recursed group contains (*PRUNE) etc.
+
+When the number of matches in a pcre_dfa_exec() run exactly filled the 
+ovector, the return from the function was zero, implying that there were 
+other matches that did not fit. The correct "exactly full" value is now 
+returned. 
+
+If a subpattern that was called recursively or as a subroutine contained
+(*PRUNE) or any other control that caused it to give a non-standard return, 
+invalid errors such as "Error -26 (nested recursion at the same subject 
+position)" or even infinite loops could occur. 
+ 
+ 
+Index: pcre_exec.c
+===================================================================
+--- pcre_exec.c	(revision 680)
+++ pcre_exec.c	(revision 681)
+@@ -1556,10 +1556,10 @@
+           md, eptrb, RM6);
+         memcpy(md->offset_vector, new_recursive.offset_save,
+             new_recursive.saved_max * sizeof(int));
+        md->recursive = new_recursive.prevrec;
+         if (rrc == MATCH_MATCH || rrc == MATCH_ACCEPT)
+           {
+           DPRINTF(("Recursion matched\n"));
+-          md->recursive = new_recursive.prevrec;
+           if (new_recursive.offset_save != stacksave)
+             (pcre_free)(new_recursive.offset_save);
+ 
+Index: testdata/testoutput11
+===================================================================
+--- testdata/testoutput11	(revision 681)
+++ testdata/testoutput11	(revision 682)
+@@ -1259,4 +1259,12 @@
+ MK: any 
+ name
+     
+/(?>(?&t)c|(?&t))(?(DEFINE)(?<t>a|b(*PRUNE)c))/
+    a
+ 0: a
+    ba
+ 0: a
+    bba 
+ 0: a
+
+ /-- End of testinput11 --/
+Index: testdata/testinput7
+===================================================================
+--- testdata/testinput7	(revision 681)
+++ testdata/testinput7	(revision 682)
+@@ -4699,4 +4699,8 @@
+ /(?(R)a*(?1)|((?R))b)/
+     aaaabcde
+ 
+/(a+)/
+    \O6aaaa
+    \O8aaaa
+
+ /-- End of testinput7 --/
+Index: testdata/testoutput7
+===================================================================
+--- testdata/testoutput7	(revision 681)
+++ testdata/testoutput7	(revision 682)
+@@ -7846,4 +7846,16 @@
+     aaaabcde
+ Error -26 (nested recursion at the same subject position)
+ 
+/(a+)/
+    \O6aaaa
+Matched, but too many subsidiary matches
+ 0: aaaa
+ 1: aaa
+ 2: aa
+    \O8aaaa
+ 0: aaaa
+ 1: aaa
+ 2: aa
+ 3: a
+
+ /-- End of testinput7 --/
+Index: testdata/testinput11
+===================================================================
+--- testdata/testinput11	(revision 681)
+++ testdata/testinput11	(revision 682)
+@@ -670,4 +670,9 @@
+ name)/K
+     abc
+     
+/(?>(?&t)c|(?&t))(?(DEFINE)(?<t>a|b(*PRUNE)c))/
+    a
+    ba
+    bba 
+
+ /-- End of testinput11 --/
--- a/pcre.spec
+++ b/pcre.spec
@ -1,6 +1,6 @@
 Name: pcre
 Version: 8.13
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Perl-compatible regular expression library
 Group: System Environment/Libraries
 License: BSD
@ -11,6 +11,10 @@ Patch0: pcre-8.10-multilib.patch
 Patch1: pcre-8.12-refused_spelling_terminated.patch
 # Upstream bug #1136 fixed after 8.13, rhbz #732368
 Patch2: pcre-8.13-named_class_tokenizer.patch
+# Upstream bug
+# <https://lists.exim.org/lurker/message/20110904.203623.a32346f3.en.html>
+# fixed after 8.13, rhbz #735720
+Patch3: pcre-8.13-infinite_prune.patch
 BuildRequires: readline-devel
 # New libtool to get rid of rpath
 BuildRequires: autoconf, automake, libtool
@ -52,6 +56,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 libtoolize --copy --force && autoreconf
 %patch1 -p1 -b .terminated_typos
 %patch2 -p1 -b .named_class_tokenizer
+%patch3 -p0 -b .infinite_prune
 # One contributor's name is non-UTF-8
 for F in ChangeLog; do
    iconv -f latin1 -t utf8 "$F" >"${F}.utf8"
@ -113,6 +118,9 @@ make check
 %{_mandir}/man1/pcretest.*

 %changelog
+* Tue Sep 06 2011 Petr Pisar <ppisar@redhat.com> - 8.13-4
+- Fix infinite matching PRUNE (bug #735720)
+
 * Mon Aug 22 2011 Petr Pisar <ppisar@redhat.com> - 8.13-3
 - Fix parsing named class in expression (bug #732368)