From 045dadf330d9d3ca0eb36006873721c5490e41c3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 30 Jan 2018 09:40:07 +0100 Subject: [PATCH] Enlarge ovector array match data structure to be large enough in all cases --- ...ovector-size-in-internal-structures-.patch | 76 +++++++++++++++++++ pcre2.spec | 10 ++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 pcre2-10.31-RC1-Increment-dummy-ovector-size-in-internal-structures-.patch diff --git a/pcre2-10.31-RC1-Increment-dummy-ovector-size-in-internal-structures-.patch b/pcre2-10.31-RC1-Increment-dummy-ovector-size-in-internal-structures-.patch new file mode 100644 index 0000000..86e87c6 --- /dev/null +++ b/pcre2-10.31-RC1-Increment-dummy-ovector-size-in-internal-structures-.patch @@ -0,0 +1,76 @@ +From e98f42ec8153d9020f2fcc347e11c65b181267a2 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Tue, 16 Jan 2018 16:50:40 +0000 +Subject: [PATCH] Increment dummy ovector size in internal structures to avoid + spurious array bound checker warnings. This fixes oss-fuzz 5415. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@911 6239d852-aaf2-0410-a92c-79f79f948069 +Signed-off-by: Petr Písař +--- + src/pcre2_intmodedep.h | 20 +++++++++++--------- + +diff --git a/src/pcre2_intmodedep.h b/src/pcre2_intmodedep.h +index 3b7d18c..c4c4c3a 100644 +--- a/src/pcre2_intmodedep.h ++++ b/src/pcre2_intmodedep.h +@@ -7,7 +7,7 @@ and semantics are as close as possible to those of the Perl 5 language. + + Written by Philip Hazel + Original API code Copyright (c) 1997-2012 University of Cambridge +- New API code Copyright (c) 2016-2017 University of Cambridge ++ New API code Copyright (c) 2016-2018 University of Cambridge + + ----------------------------------------------------------------------------- + Redistribution and use in source and binary forms, with or without +@@ -640,11 +640,13 @@ typedef struct pcre2_real_code { + uint16_t name_count; /* Number of name entries in the table */ + } pcre2_real_code; + +-/* The real match data structure. Define ovector large so that array bound +-checkers don't grumble. Memory for this structure is obtained by calling +-pcre2_match_data_create(), which sets the size as the offset of ovector plus +-pairs of elements for each capturing group. (See also the heapframe structure +-below.) */ ++/* The real match data structure. Define ovector as large as it can ever ++actually be so that array bound checkers don't grumble. Memory for this ++structure is obtained by calling pcre2_match_data_create(), which sets the size ++as the offset of ovector plus a pair of elements for each capturable string, so ++the size varies from call to call. As the maximum number of capturing ++subpatterns is 65535 we must allow for 65536 strings to include the overall ++match. (See also the heapframe structure below.) */ + + typedef struct pcre2_real_match_data { + pcre2_memctl memctl; +@@ -657,7 +659,7 @@ typedef struct pcre2_real_match_data { + uint16_t matchedby; /* Type of match (normal, JIT, DFA) */ + uint16_t oveccount; /* Number of pairs */ + int rc; /* The return code from the match */ +- PCRE2_SIZE ovector[10000];/* The first field */ ++ PCRE2_SIZE ovector[131072]; /* Must be last in the structure */ + } pcre2_real_match_data; + + +@@ -804,7 +806,7 @@ typedef struct heapframe { + runtime array bound checks don't catch references to it. However, for any + specific call to pcre2_match() the memory allocated for each frame structure + allows for exactly the right size ovector for the number of capturing +- parentheses. */ ++ parentheses. (See also the comment for pcre2_real_match_data above.) */ + + PCRE2_SPTR eptr; /* MUST BE FIRST */ + PCRE2_SPTR start_match; /* Can be adjusted by \K */ +@@ -813,7 +815,7 @@ typedef struct heapframe { + uint32_t capture_last; /* Most recent capture */ + PCRE2_SIZE last_group_offset; /* Saved offset to most recent group frame */ + PCRE2_SIZE offset_top; /* Offset after highest capture */ +- PCRE2_SIZE ovector[10000]; /* Must be last in the structure */ ++ PCRE2_SIZE ovector[131072]; /* Must be last in the structure */ + } heapframe; + + typedef char check_heapframe_size[ +-- +2.13.6 + diff --git a/pcre2.spec b/pcre2.spec index 11ab77e..122fbed 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -9,7 +9,7 @@ %global rcversion RC1 Name: pcre2 Version: 10.31 -Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library # the library: BSD with exceptions @@ -48,6 +48,9 @@ URL: http://www.pcre.org/ Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{?rcversion:Testing/}%{name}-%{myversion}.tar.bz2 # Do no set RPATH if libdir is not /usr/lib Patch0: pcre2-10.10-Fix-multilib.patch +# Enlarge ovector array match data structure to be large enough in all cases, +# in upstream after 10.31-RC1, oss-fuzz #5415 +Patch1: pcre2-10.31-RC1-Increment-dummy-ovector-size-in-internal-structures-.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -122,6 +125,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test. %prep %setup -q -n %{name}-%{myversion} %patch0 -p1 +%patch1 -p1 # Because of multilib patch libtoolize --copy --force autoreconf -vif @@ -229,6 +233,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcre2test.* %changelog +* Tue Jan 30 2018 Petr Pisar - 10.31-0.2.RC1 +- Enlarge ovector array match data structure to be large enough in all cases + (oss-fuzz #5415) + * Mon Jan 15 2018 Petr Pisar - 10.31-0.1.RC1 - 10.31-RC1 bump