Fix a buffer overread when parsing an unterminated VERSION condition with a single-digit minor number at the end of a regular expression

pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch

@@ -0,0 +1,56 @@
+From 4089a9d71445fbe48ce41dd5cb595dba88c18a26 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Mon, 29 Jun 2020 15:35:49 +0000
+Subject: [PATCH] Fix read overflow for invalid VERSION test with one
+ fractional digit at the end of a pattern. Fixes ClusterFuzz 23779.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1266 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.35.
+---
+ src/pcre2_compile.c  | 1 +
+ testdata/testinput2  | 2 ++
+ testdata/testoutput2 | 3 +++
+
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index 136d583..e811f12 100644
+--- a/src/pcre2_compile.c
++++ b/src/pcre2_compile.c
+@@ -4331,6 +4331,7 @@ while (ptr < ptrend)
+           {
+           if (++ptr >= ptrend || !IS_DIGIT(*ptr)) goto BAD_VERSION_CONDITION;
+           minor = (*ptr++ - CHAR_0) * 10;
++          if (ptr >= ptrend) goto BAD_VERSION_CONDITION;
+           if (IS_DIGIT(*ptr)) minor += *ptr++ - CHAR_0;
+           if (ptr >= ptrend || *ptr != CHAR_RIGHT_PARENTHESIS)
+             goto BAD_VERSION_CONDITION;
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index c816c5f..47320eb 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5864,4 +5864,6 @@ a)"xI
+ /"(*MARK:>" 00 "<).(?C1)."/hex,mark,no_start_optimize
+     AB
+ 
++/(?(VERSION=0.0/
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index c90efef..c06363a 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -17621,6 +17621,9 @@ Latest Mark: >\x00<
+  0: AB
+ MK: >\x00<
+ 
++/(?(VERSION=0.0/
++Failed: error 179 at offset 14: syntax error or number too big in (?(VERSION condition
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.25.4
+

pcre2.spec

@@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.35
-Release:    %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@@ -60,6 +60,10 @@ Patch2:     pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.pat
 # Fix an infinite loop when a single-byte newline is search in JIT if an
 # invalid UTF-8 mode is enabled, upstream bug #2581, in upstream after 10.35
 Patch3:     pcre2-10.35-Fix-inifinite-loop-when-a-single-byte-newline-is-sea.patch
+# Fix a buffer overread when parsing an unterminated VERSION condition with
+# a single-digit minor number at the end of a regular expression,
+# ClusterFuzz #23779, in upstream after 10.35
+Patch4:     pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -154,6 +158,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -267,6 +272,11 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Wed Jul 15 2020 Petr Pisar <ppisar@redhat.com> - 10.35-4
+- Fix a buffer overread when parsing an unterminated VERSION condition with
+  a single-digit minor number at the end of a regular expression
+  (ClusterFuzz #23779)
+
 * Tue Jun 02 2020 Petr Pisar <ppisar@redhat.com> - 10.35-3
 - Fix an infinite loop when a single-byte newline is search in JIT if an
   invalid UTF-8 mode is enabled (upstream bug #2581)