rpms/pcre
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2017-7186 in JIT mode

Browse Source
This commit is contained in:
Petr Písař 2017-04-21 10:07:32 +02:00
parent 34de8513c6
commit a82fb773cc
2 changed files with 87 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch Normal file
View File

@ -0,0 +1,78 @@
From 3b8f1ab07fb1744c57f5d04c872e81d8d669de87 Mon Sep 17 00:00:00 2001
From: zherczeg <zherczeg@2f5784b3-3f2a-0410-8824-cb99058d5e15>
Date: Fri, 31 Mar 2017 05:41:17 +0000
Subject: [PATCH] Fix character type detection when 32-bit and UCP are enabled
but UTF is not in JIT.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1693 2f5784b3-3f2a-0410-8824-cb99058d5e15
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
pcre_jit_compile.c | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c
index 1a8ce1e..c9db7ee 100644
--- a/pcre_jit_compile.c
+++ b/pcre_jit_compile.c
@@ -559,6 +559,8 @@ the start pointers when the end of the capturing group has not yet reached. */
#define READ_CHAR_MAX 0x7fffffff
+#define INVALID_UTF_CHAR 888
+
static pcre_uchar *bracketend(pcre_uchar *cc)
{
SLJIT_ASSERT((*cc >= OP_ASSERT && *cc <= OP_ASSERTBACK_NOT) || (*cc >= OP_ONCE && *cc <= OP_SCOND));
@@ -3277,10 +3279,30 @@ static void do_getucd(compiler_common *common)
/* Search the UCD record for the character comes in TMP1.
Returns chartype in TMP1 and UCD offset in TMP2. */
DEFINE_COMPILER;
+#ifdef COMPILE_PCRE32
+struct sljit_jump *jump;
+#endif
+
+#if defined SLJIT_DEBUG && SLJIT_DEBUG
+/* dummy_ucd_record */
+const ucd_record *record = GET_UCD(INVALID_UTF_CHAR);
+SLJIT_ASSERT(record->script == ucp_Common && record->chartype == ucp_Cn && record->gbprop == ucp_gbOther);
+SLJIT_ASSERT(record->caseset == 0 && record->other_case == 0);
+#endif
SLJIT_ASSERT(UCD_BLOCK_SIZE == 128 && sizeof(ucd_record) == 8);
sljit_emit_fast_enter(compiler, RETURN_ADDR, 0);
+
+#ifdef COMPILE_PCRE32
+if (!common->utf)
+ {
+ jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, 0x10ffff + 1);
+ OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
+ JUMPHERE(jump);
+ }
+#endif
+
OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
@@ -5636,6 +5658,15 @@ if (needstype || needsscript)
if (needschar && !charsaved)
OP1(SLJIT_MOV, RETURN_ADDR, 0, TMP1, 0);
+#ifdef COMPILE_PCRE32
+ if (!common->utf)
+ {
+ jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, 0x10ffff + 1);
+ OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
+ JUMPHERE(jump);
+ }
+#endif
+
OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
--
2.7.4

9
pcre.spec
View File

@ -65,6 +65,11 @@ Patch10: pcre-8.40-Fix-DFA-match-handling-of-possessive-repeated-charac.patch
# Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode, # Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode,
# in upstream after 8.40 # in upstream after 8.40
Patch11: pcre-8.40-Fix-typo-leading-to-possible-buffer-overflow-in-pcre.patch Patch11: pcre-8.40-Fix-typo-leading-to-possible-buffer-overflow-in-pcre.patch
# Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
# a character with a code point greater than 0x10ffff in UTF-32 library while
# UTF mode is disabled), bug #1434504, upstream bug #2052,
# in upstream after 8.40
Patch12: pcre-8.40-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
BuildRequires: readline-devel BuildRequires: readline-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -165,6 +170,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
%patch9 -p1 %patch9 -p1
%patch10 -p1 %patch10 -p1
%patch11 -p1 %patch11 -p1
%patch12 -p1
# Because of rpath patch # Because of rpath patch
libtoolize --copy --force libtoolize --copy --force
autoreconf -vif autoreconf -vif
@ -263,6 +269,9 @@ make %{?_smp_mflags} check VERBOSE=yes
%changelog %changelog
* Fri Apr 21 2017 Petr Pisar <ppisar@redhat.com> - 8.40-7 * Fri Apr 21 2017 Petr Pisar <ppisar@redhat.com> - 8.40-7
- Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode - Fix a buffer overflow in pcretest tool when copying a string in UTF-32 mode
- Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
a character with a code point greater than 0x10ffff in UTF-32 library while
UTF mode is disabled) (bug #1434504)
* Mon Mar 27 2017 Petr Pisar <ppisar@redhat.com> - 8.40-6 * Mon Mar 27 2017 Petr Pisar <ppisar@redhat.com> - 8.40-6
- Fix DFA match for a possessively repeated character class (upstream bug #2086) - Fix DFA match for a possessively repeated character class (upstream bug #2086)