Fix a buffer overread when parsing an unterminated VERSION condition with a single-digit minor number at the end of a regular expression
This commit is contained in:
parent
2a84c20cef
commit
011f6e20f2
@ -0,0 +1,56 @@
|
||||
From 4089a9d71445fbe48ce41dd5cb595dba88c18a26 Mon Sep 17 00:00:00 2001
|
||||
From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
|
||||
Date: Mon, 29 Jun 2020 15:35:49 +0000
|
||||
Subject: [PATCH] Fix read overflow for invalid VERSION test with one
|
||||
fractional digit at the end of a pattern. Fixes ClusterFuzz 23779.
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1266 6239d852-aaf2-0410-a92c-79f79f948069
|
||||
Petr Písař: Ported to 10.35.
|
||||
---
|
||||
src/pcre2_compile.c | 1 +
|
||||
testdata/testinput2 | 2 ++
|
||||
testdata/testoutput2 | 3 +++
|
||||
|
||||
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
|
||||
index 136d583..e811f12 100644
|
||||
--- a/src/pcre2_compile.c
|
||||
+++ b/src/pcre2_compile.c
|
||||
@@ -4331,6 +4331,7 @@ while (ptr < ptrend)
|
||||
{
|
||||
if (++ptr >= ptrend || !IS_DIGIT(*ptr)) goto BAD_VERSION_CONDITION;
|
||||
minor = (*ptr++ - CHAR_0) * 10;
|
||||
+ if (ptr >= ptrend) goto BAD_VERSION_CONDITION;
|
||||
if (IS_DIGIT(*ptr)) minor += *ptr++ - CHAR_0;
|
||||
if (ptr >= ptrend || *ptr != CHAR_RIGHT_PARENTHESIS)
|
||||
goto BAD_VERSION_CONDITION;
|
||||
diff --git a/testdata/testinput2 b/testdata/testinput2
|
||||
index c816c5f..47320eb 100644
|
||||
--- a/testdata/testinput2
|
||||
+++ b/testdata/testinput2
|
||||
@@ -5864,4 +5864,6 @@ a)"xI
|
||||
/"(*MARK:>" 00 "<).(?C1)."/hex,mark,no_start_optimize
|
||||
AB
|
||||
|
||||
+/(?(VERSION=0.0/
|
||||
+
|
||||
# End of testinput2
|
||||
diff --git a/testdata/testoutput2 b/testdata/testoutput2
|
||||
index c90efef..c06363a 100644
|
||||
--- a/testdata/testoutput2
|
||||
+++ b/testdata/testoutput2
|
||||
@@ -17621,6 +17621,9 @@ Latest Mark: >\x00<
|
||||
0: AB
|
||||
MK: >\x00<
|
||||
|
||||
+/(?(VERSION=0.0/
|
||||
+Failed: error 179 at offset 14: syntax error or number too big in (?(VERSION condition
|
||||
+
|
||||
# End of testinput2
|
||||
Error -70: PCRE2_ERROR_BADDATA (unknown error number)
|
||||
Error -62: bad serialized data
|
||||
--
|
||||
2.25.4
|
||||
|
12
pcre2.spec
12
pcre2.spec
@ -9,7 +9,7 @@
|
||||
#%%global rcversion RC1
|
||||
Name: pcre2
|
||||
Version: 10.35
|
||||
Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}
|
||||
Release: %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist}
|
||||
%global myversion %{version}%{?rcversion:-%rcversion}
|
||||
Summary: Perl-compatible regular expression library
|
||||
# the library: BSD with exceptions
|
||||
@ -60,6 +60,10 @@ Patch2: pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.pat
|
||||
# Fix an infinite loop when a single-byte newline is search in JIT if an
|
||||
# invalid UTF-8 mode is enabled, upstream bug #2581, in upstream after 10.35
|
||||
Patch3: pcre2-10.35-Fix-inifinite-loop-when-a-single-byte-newline-is-sea.patch
|
||||
# Fix a buffer overread when parsing an unterminated VERSION condition with
|
||||
# a single-digit minor number at the end of a regular expression,
|
||||
# ClusterFuzz #23779, in upstream after 10.35
|
||||
Patch4: pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
BuildRequires: coreutils
|
||||
@ -154,6 +158,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
# Because of multilib patch
|
||||
libtoolize --copy --force
|
||||
autoreconf -vif
|
||||
@ -267,6 +272,11 @@ make %{?_smp_mflags} check VERBOSE=yes
|
||||
%{_mandir}/man1/pcre2test.*
|
||||
|
||||
%changelog
|
||||
* Wed Jul 15 2020 Petr Pisar <ppisar@redhat.com> - 10.35-4
|
||||
- Fix a buffer overread when parsing an unterminated VERSION condition with
|
||||
a single-digit minor number at the end of a regular expression
|
||||
(ClusterFuzz #23779)
|
||||
|
||||
* Tue Jun 02 2020 Petr Pisar <ppisar@redhat.com> - 10.35-3
|
||||
- Fix an infinite loop when a single-byte newline is search in JIT if an
|
||||
invalid UTF-8 mode is enabled (upstream bug #2581)
|
||||
|
Loading…
Reference in New Issue
Block a user