diff --git a/pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch b/pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch new file mode 100644 index 0000000..596cefc --- /dev/null +++ b/pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch @@ -0,0 +1,56 @@ +From 4089a9d71445fbe48ce41dd5cb595dba88c18a26 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Mon, 29 Jun 2020 15:35:49 +0000 +Subject: [PATCH] Fix read overflow for invalid VERSION test with one + fractional digit at the end of a pattern. Fixes ClusterFuzz 23779. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1266 6239d852-aaf2-0410-a92c-79f79f948069 +Petr Písař: Ported to 10.35. +--- + src/pcre2_compile.c | 1 + + testdata/testinput2 | 2 ++ + testdata/testoutput2 | 3 +++ + +diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c +index 136d583..e811f12 100644 +--- a/src/pcre2_compile.c ++++ b/src/pcre2_compile.c +@@ -4331,6 +4331,7 @@ while (ptr < ptrend) + { + if (++ptr >= ptrend || !IS_DIGIT(*ptr)) goto BAD_VERSION_CONDITION; + minor = (*ptr++ - CHAR_0) * 10; ++ if (ptr >= ptrend) goto BAD_VERSION_CONDITION; + if (IS_DIGIT(*ptr)) minor += *ptr++ - CHAR_0; + if (ptr >= ptrend || *ptr != CHAR_RIGHT_PARENTHESIS) + goto BAD_VERSION_CONDITION; +diff --git a/testdata/testinput2 b/testdata/testinput2 +index c816c5f..47320eb 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5864,4 +5864,6 @@ a)"xI + /"(*MARK:>" 00 "<).(?C1)."/hex,mark,no_start_optimize + AB + ++/(?(VERSION=0.0/ ++ + # End of testinput2 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index c90efef..c06363a 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -17621,6 +17621,9 @@ Latest Mark: >\x00< + 0: AB + MK: >\x00< + ++/(?(VERSION=0.0/ ++Failed: error 179 at offset 14: syntax error or number too big in (?(VERSION condition ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data +-- +2.25.4 + diff --git a/pcre2.spec b/pcre2.spec index 8c00935..ac8f52b 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -9,7 +9,7 @@ #%%global rcversion RC1 Name: pcre2 Version: 10.35 -Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library # the library: BSD with exceptions @@ -60,6 +60,10 @@ Patch2: pcre2-10.35-Fix-previous-commit-include-CET_CFLAGS-in-16-bit-and.pat # Fix an infinite loop when a single-byte newline is search in JIT if an # invalid UTF-8 mode is enabled, upstream bug #2581, in upstream after 10.35 Patch3: pcre2-10.35-Fix-inifinite-loop-when-a-single-byte-newline-is-sea.patch +# Fix a buffer overread when parsing an unterminated VERSION condition with +# a single-digit minor number at the end of a regular expression, +# ClusterFuzz #23779, in upstream after 10.35 +Patch4: pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -154,6 +158,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Because of multilib patch libtoolize --copy --force autoreconf -vif @@ -267,6 +272,11 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcre2test.* %changelog +* Wed Jul 15 2020 Petr Pisar - 10.35-4 +- Fix a buffer overread when parsing an unterminated VERSION condition with + a single-digit minor number at the end of a regular expression + (ClusterFuzz #23779) + * Tue Jun 02 2020 Petr Pisar - 10.35-3 - Fix an infinite loop when a single-byte newline is search in JIT if an invalid UTF-8 mode is enabled (upstream bug #2581)