From 0c6f2eb02ba89076c6e587bd043df903c9465404 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Tue, 2 Feb 2021 08:42:24 +0100 Subject: [PATCH] Fix misparsing long numbers as a backreference and a number without a closing bracket as a quantifier --- ...umerical-checking-bugs-Bugzilla-2690.patch | 258 ++++++++++++++++++ pcre2.spec | 10 +- 2 files changed, 267 insertions(+), 1 deletion(-) create mode 100644 pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch diff --git a/pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch b/pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch new file mode 100644 index 0000000..0f57b3a --- /dev/null +++ b/pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch @@ -0,0 +1,258 @@ +From ca896b83b391bf6de7a7bf6e76da3bb02eb7001f Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Mon, 1 Feb 2021 17:56:12 +0000 +Subject: [PATCH] Fix some numerical checking bugs, Bugzilla 2690. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1295 6239d852-aaf2-0410-a92c-79f79f948069 +Signed-off-by: Petr PísaÅ™ +--- + src/pcre2_compile.c | 52 +++++++++++++++++++++++++++------------- + testdata/testinput1 | 9 +++++++ + testdata/testinput11 | 3 +++ + testdata/testinput2 | 2 -- + testdata/testinput9 | 3 +++ + testdata/testoutput1 | 12 ++++++++++ + testdata/testoutput11-16 | 4 ++++ + testdata/testoutput11-32 | 4 ++++ + testdata/testoutput2 | 3 --- + testdata/testoutput9 | 4 ++++ + +diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c +index e811f12..4bd5be0 100644 +--- a/src/pcre2_compile.c ++++ b/src/pcre2_compile.c +@@ -1398,32 +1398,47 @@ static BOOL + read_repeat_counts(PCRE2_SPTR *ptrptr, PCRE2_SPTR ptrend, uint32_t *minp, + uint32_t *maxp, int *errorcodeptr) + { +-PCRE2_SPTR p = *ptrptr; ++PCRE2_SPTR p; + BOOL yield = FALSE; ++BOOL had_comma = FALSE; + int32_t min = 0; + int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */ + +-/* NB read_number() initializes the error code to zero. The only error is for a +-number that is too big. */ ++/* Check the syntax */ + ++*errorcodeptr = 0; ++for (p = *ptrptr;; p++) ++ { ++ uint32_t c; ++ if (p >= ptrend) return FALSE; ++ c = *p; ++ if (IS_DIGIT(c)) continue; ++ if (c == CHAR_RIGHT_CURLY_BRACKET) break; ++ if (c == CHAR_COMMA) ++ { ++ if (had_comma) return FALSE; ++ had_comma = TRUE; ++ } ++ else return FALSE; ++ } ++ ++/* The only error from read_number() is for a number that is too big. */ ++ ++p = *ptrptr; + if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &min, errorcodeptr)) + goto EXIT; + +-if (p >= ptrend) goto EXIT; +- + if (*p == CHAR_RIGHT_CURLY_BRACKET) + { + p++; + max = min; + } +- + else + { +- if (*p++ != CHAR_COMMA || p >= ptrend) goto EXIT; +- if (*p != CHAR_RIGHT_CURLY_BRACKET) ++ if (*(++p) != CHAR_RIGHT_CURLY_BRACKET) + { + if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max, +- errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET) ++ errorcodeptr)) + goto EXIT; + if (max < min) + { +@@ -1438,11 +1453,10 @@ yield = TRUE; + if (minp != NULL) *minp = (uint32_t)min; + if (maxp != NULL) *maxp = (uint32_t)max; + +-/* Update the pattern pointer on success, or after an error, but not when +-the result is "not a repeat quantifier". */ ++/* Update the pattern pointer */ + + EXIT: +-if (yield || *errorcodeptr != 0) *ptrptr = p; ++*ptrptr = p; + return yield; + } + +@@ -1776,19 +1790,23 @@ else + { + oldptr = ptr; + ptr--; /* Back to the digit */ +- if (!read_number(&ptr, ptrend, -1, INT_MAX/10 - 1, ERR61, &s, +- errorcodeptr)) +- break; + +- /* \1 to \9 are always back references. \8x and \9x are too; \1x to \7x ++ /* As we know we are at a digit, the only possible error from ++ read_number() is a number that is too large to be a group number. In this ++ case we fall through handle this as not a group reference. If we have ++ read a small enough number, check for a back reference. ++ ++ \1 to \9 are always back references. \8x and \9x are too; \1x to \7x + are octal escapes if there are not that many previous captures. */ + +- if (s < 10 || oldptr[-1] >= CHAR_8 || s <= (int)cb->bracount) ++ if (read_number(&ptr, ptrend, -1, INT_MAX/10 - 1, 0, &s, errorcodeptr) && ++ (s < 10 || oldptr[-1] >= CHAR_8 || s <= (int)cb->bracount)) + { + if (s > (int)MAX_GROUP_NUMBER) *errorcodeptr = ERR61; + else escape = -s; /* Indicates a back reference */ + break; + } ++ + ptr = oldptr; /* Put the pointer back and fall through */ + } + +diff --git a/testdata/testinput1 b/testdata/testinput1 +index d4e42ba..bb4ddb7 100644 +--- a/testdata/testinput1 ++++ b/testdata/testinput1 +@@ -6420,4 +6420,13 @@ ef) x/x,mark + /(?(DEFINE)(?bar))(?\x{8c}748364< ++ ++/a{65536/ ++ >a{65536< ++ + # End of testinput1 +diff --git a/testdata/testinput11 b/testdata/testinput11 +index 2d267d6..2bc8a25 100644 +--- a/testdata/testinput11 ++++ b/testdata/testinput11 +@@ -368,4 +368,7 @@ + abÿAz + ab\x{80000041}z + ++/(?i:A{1,}\6666666666)/ ++ A\x{1b6}6666666 ++ + # End of testinput11 +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 3f9dd6d..87e3394 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -2189,8 +2189,6 @@ + + /a(*MARK)b/ + +-/(?i:A{1,}\6666666666)/ +- + /\g6666666666/ + + /[\g6666666666]/B +diff --git a/testdata/testinput9 b/testdata/testinput9 +index 7be4b15..4eb228a 100644 +--- a/testdata/testinput9 ++++ b/testdata/testinput9 +@@ -260,4 +260,7 @@ + + /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ + ++/(?i:A{1,}\6666666666)/ ++ A\x{1b6}6666666 ++ + # End of testinput9 +diff --git a/testdata/testoutput1 b/testdata/testoutput1 +index 16c91d2..05b310b 100644 +--- a/testdata/testoutput1 ++++ b/testdata/testoutput1 +@@ -10176,4 +10176,16 @@ No match + word + 0: word + ++/a{1,2,3}b/ ++ a{1,2,3}b ++ 0: a{1,2,3}b ++ ++/\214748364/ ++ >\x{8c}748364< ++ 0: \x8c748364 ++ ++/a{65536/ ++ >a{65536< ++ 0: a{65536 ++ + # End of testinput1 +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index 78bf7fb..8768785 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -661,4 +661,8 @@ Subject length lower bound = 1 + abÿAz + ab\x{80000041}z + ++/(?i:A{1,}\6666666666)/ ++ A\x{1b6}6666666 ++ 0: A\x{1b6}6666666 ++ + # End of testinput11 +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 4b00384..2c95f61 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -667,4 +667,8 @@ Subject length lower bound = 1 + ab\x{80000041}z + 0: ab\x{80000041}z + ++/(?i:A{1,}\6666666666)/ ++ A\x{1b6}6666666 ++ 0: A\x{1b6}6666666 ++ + # End of testinput11 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index dc17011..4d8f65d 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -8374,9 +8374,6 @@ No match + /a(*MARK)b/ + Failed: error 166 at offset 7: (*MARK) must have an argument + +-/(?i:A{1,}\6666666666)/ +-Failed: error 161 at offset 19: subpattern number is too big +- + /\g6666666666/ + Failed: error 161 at offset 7: subpattern number is too big + +diff --git a/testdata/testoutput9 b/testdata/testoutput9 +index f98f276..1ec4317 100644 +--- a/testdata/testoutput9 ++++ b/testdata/testoutput9 +@@ -367,4 +367,8 @@ Failed: error 134 at offset 14: character code point value in \x{} or \o{} is to + /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ + Failed: error 176 at offset 259: name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN) + ++/(?i:A{1,}\6666666666)/ ++Failed: error 151 at offset 13: octal value is greater than \377 in 8-bit non-UTF-8 mode ++ A\x{1b6}6666666 ++ + # End of testinput9 +-- +2.26.2 + diff --git a/pcre2.spec b/pcre2.spec index 8cc9791..d678ee1 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -9,7 +9,7 @@ #%%global rcversion RC1 Name: pcre2 Version: 10.36 -Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}.1 +Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library # the library: BSD with exceptions @@ -54,6 +54,10 @@ Patch0: pcre2-10.10-Fix-multilib.patch # Fix a possible NULL pointer dereference in auto_possessify(), # upstream bug #2686, in upstream after 10.36 Patch1: pcre2-10.36-Get-rid-of-gcc-fanalyzer-error-though-it-was-probabl.patch +# Fix misparsing long numbers as a backreference and a number without +# a closing bracket as a quantifier, upstream bug #2690, in upstream after +# 10.36 +Patch2: pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -257,6 +261,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcre2test.* %changelog +* Tue Feb 02 2021 Petr Pisar - 10.36-3 +- Fix misparsing long numbers as a backreference and a number without + a closing bracket as a quantifier (upstream bug #2690) + * Tue Jan 26 2021 Fedora Release Engineering - 10.36-2.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild