From a82fb773cc7257b952cb45add94a8d9091698873 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 21 Apr 2017 10:07:32 +0200
Subject: [PATCH] Fix CVE-2017-7186 in JIT mode

---
 ...pe-detection-when-32-bit-and-UCP-are.patch | 78 +++++++++++++++++++
 pcre.spec                                     |  9 +++
 2 files changed, 87 insertions(+)
 create mode 100644 pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch

diff --git a/pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch b/pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
new file mode 100644
index 0000000..2ec84b5
--- /dev/null
+++ b/pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
@@ -0,0 +1,78 @@
+From 3b8f1ab07fb1744c57f5d04c872e81d8d669de87 Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg@2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Fri, 31 Mar 2017 05:41:17 +0000
+Subject: [PATCH] Fix character type detection when 32-bit and UCP are enabled
+ but UTF is not in JIT.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1693 2f5784b3-3f2a-0410-8824-cb99058d5e15
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_jit_compile.c | 31 +++++++++++++++++++++++++++++++
+ 1 file changed, 31 insertions(+)
+
+diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c
+index 1a8ce1e..c9db7ee 100644
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -559,6 +559,8 @@ the start pointers when the end of the capturing group has not yet reached. */
+ 
+ #define READ_CHAR_MAX 0x7fffffff
+ 
++#define INVALID_UTF_CHAR 888
++
+ static pcre_uchar *bracketend(pcre_uchar *cc)
+ {
+ SLJIT_ASSERT((*cc >= OP_ASSERT && *cc <= OP_ASSERTBACK_NOT) || (*cc >= OP_ONCE && *cc <= OP_SCOND));
+@@ -3277,10 +3279,30 @@ static void do_getucd(compiler_common *common)
+ /* Search the UCD record for the character comes in TMP1.
+ Returns chartype in TMP1 and UCD offset in TMP2. */
+ DEFINE_COMPILER;
++#ifdef COMPILE_PCRE32
++struct sljit_jump *jump;
++#endif
++
++#if defined SLJIT_DEBUG && SLJIT_DEBUG
++/* dummy_ucd_record */
++const ucd_record *record = GET_UCD(INVALID_UTF_CHAR);
++SLJIT_ASSERT(record->script == ucp_Common && record->chartype == ucp_Cn && record->gbprop == ucp_gbOther);
++SLJIT_ASSERT(record->caseset == 0 && record->other_case == 0);
++#endif
+ 
+ SLJIT_ASSERT(UCD_BLOCK_SIZE == 128 && sizeof(ucd_record) == 8);
+ 
+ sljit_emit_fast_enter(compiler, RETURN_ADDR, 0);
++
++#ifdef COMPILE_PCRE32
++if (!common->utf)
++  {
++  jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, 0x10ffff + 1);
++  OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
++  JUMPHERE(jump);
++  }
++#endif
++
+ OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
+ OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
+ OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
+@@ -5636,6 +5658,15 @@ if (needstype || needsscript)
+   if (needschar && !charsaved)
+     OP1(SLJIT_MOV, RETURN_ADDR, 0, TMP1, 0);
+ 
++#ifdef COMPILE_PCRE32
++  if (!common->utf)
++    {
++    jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, 0x10ffff + 1);
++    OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
++    JUMPHERE(jump);
++    }
++#endif
++
+   OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
+   OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
+   OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
+-- 
+2.7.4
+
diff --git a/pcre.spec b/pcre.spec
index 238d86e..e5c70ad 100644
--- a/pcre.spec
+++ b/pcre.spec
@@ -65,6 +65,11 @@ Patch10:    pcre-8.40-Fix-DFA-match-handling-of-possessive-repeated-charac.patch
 # Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode,
 # in upstream after 8.40
 Patch11:    pcre-8.40-Fix-typo-leading-to-possible-buffer-overflow-in-pcre.patch
+# Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
+# a character with a code point greater than 0x10ffff in UTF-32 library while
+# UTF mode is disabled), bug #1434504, upstream bug #2052,
+# in upstream after 8.40
+Patch12:    pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
 BuildRequires:  readline-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -165,6 +170,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 # Because of rpath patch
 libtoolize --copy --force
 autoreconf -vif
@@ -263,6 +269,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %changelog
 * Fri Apr 21 2017 Petr Pisar <ppisar@redhat.com> - 8.40-7
 - Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode
+- Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
+  a character with a code point greater than 0x10ffff in UTF-32 library while
+  UTF mode is disabled) (bug #1434504)
 
 * Mon Mar 27 2017 Petr Pisar <ppisar@redhat.com> - 8.40-6
 - Fix DFA match for a possessively repeated character class (upstream bug #2086)