Do no rely on wrapping signed integer while parsing {min,max} expression

2014-04-11 14:13:19 +02:00 · 2014-04-11 14:13:19 +02:00 · d8b4c48a71
commit d8b4c48a71
parent 78f069a974
2 changed files with 73 additions and 1 deletions
--- a/pcre-8.35-Do-not-rely-on-wrapping-signed-integer-while-parsein.patch
+++ b/pcre-8.35-Do-not-rely-on-wrapping-signed-integer-while-parsein.patch
@ -0,0 +1,64 @@
+From a05e11ff3a663c06e0a30dfa86aa7ed4544a6008 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
+Date: Fri, 11 Apr 2014 13:41:13 +0200
+Subject: [PATCH] Do not rely on wrapping signed integer while parseing
+ {min,max}
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed integer overflow is not defined in C language. GCC 4.9 bails
+out here.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ pcre_compile.c | 24 ++++++++++++++++--------
+ 1 file changed, 16 insertions(+), 8 deletions(-)
+
+diff --git a/pcre_compile.c b/pcre_compile.c
+index 8a5b723..ce65058 100644
+--- a/pcre_compile.c
+++ b/pcre_compile.c
+@@ -1586,11 +1586,15 @@ int max = -1;
+ /* Read the minimum value and do a paranoid check: a negative value indicates
+ an integer overflow. */
+ 
+-while (IS_DIGIT(*p)) min = min * 10 + (int)(*p++ - CHAR_0);
+-if (min < 0 || min > 65535)
+while (IS_DIGIT(*p))
+   {
+-  *errorcodeptr = ERR5;
+-  return p;
+  min = min * 10 + (int)(*p++ - CHAR_0);
+  if (min > 65535)
+    {
+    *errorcodeptr = ERR5;
+    while (*p != CHAR_RIGHT_CURLY_BRACKET) p++;
+    return p;
+    }
+   }
+ 
+ /* Read the maximum value if there is one, and again do a paranoid on its size.
+@@ -1601,11 +1605,15 @@ if (*p == CHAR_RIGHT_CURLY_BRACKET) max = min; else
+   if (*(++p) != CHAR_RIGHT_CURLY_BRACKET)
+     {
+     max = 0;
+-    while(IS_DIGIT(*p)) max = max * 10 + (int)(*p++ - CHAR_0);
+-    if (max < 0 || max > 65535)
+    while(IS_DIGIT(*p))
+       {
+-      *errorcodeptr = ERR5;
+-      return p;
+      max = max * 10 + (int)(*p++ - CHAR_0);
+      if (max > 65535)
+        {
+        *errorcodeptr = ERR5;
+        while (*p != CHAR_RIGHT_CURLY_BRACKET) p++;
+        return p;
+        }
+       }
+     if (max < min)
+       {
+-- 
+1.9.0
+
--- a/pcre.spec
+++ b/pcre.spec
@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name: pcre
 Version: 8.35
-Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist}
+Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}
 %global myversion %{version}%{?rcversion:-%rcversion}
 Summary: Perl-compatible regular expression library
 Group: System Environment/Libraries
@ -13,6 +13,9 @@ Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/%{name}/%{?rcversion:Te
 Patch0: pcre-8.21-multilib.patch
 # Refused by upstream, bug #675477
 Patch1: pcre-8.32-refused_spelling_terminated.patch
+# Do no rely on wrapping signed integer while parsing {min,max} expression,
+# bug #1086630, upstream bug #1463
+Patch2: pcre-8.35-Do-not-rely-on-wrapping-signed-integer-while-parsein.patch
 BuildRequires: readline-devel
 # New libtool to get rid of rpath
 BuildRequires: autoconf, automake, libtool
@ -54,6 +57,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
 # Get rid of rpath
 %patch0 -p1 -b .multilib
 %patch1 -p1 -b .terminated_typos
+%patch2 -p1 -b .gcc49
 # Because of rpath patch
 libtoolize --copy --force && autoreconf -vif
 # One contributor's name is non-UTF-8
@ -121,6 +125,10 @@ make %{?_smp_mflags} check
 %{_mandir}/man1/pcretest.*

 %changelog
+* Fri Apr 11 2014 Petr Pisar <ppisar@redhat.com> - 8.35-2
+- Do no rely on wrapping signed integer while parsing {min,max} expression
+  (bug #1086630)
+
 * Wed Apr 09 2014 Petr Pisar <ppisar@redhat.com> - 8.35-1
 - 8.35 bump
 - Run tests in parallel