Fix misparsing long numbers as a backreference and a number without a closing bracket as a quantifier
This commit is contained in:
parent
85a7d55043
commit
0c6f2eb02b
258
pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch
Normal file
258
pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch
Normal file
@ -0,0 +1,258 @@
|
|||||||
|
From ca896b83b391bf6de7a7bf6e76da3bb02eb7001f Mon Sep 17 00:00:00 2001
|
||||||
|
From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
|
||||||
|
Date: Mon, 1 Feb 2021 17:56:12 +0000
|
||||||
|
Subject: [PATCH] Fix some numerical checking bugs, Bugzilla 2690.
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
|
||||||
|
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1295 6239d852-aaf2-0410-a92c-79f79f948069
|
||||||
|
Signed-off-by: Petr PÃsaÅ™ <ppisar@redhat.com>
|
||||||
|
---
|
||||||
|
src/pcre2_compile.c | 52 +++++++++++++++++++++++++++-------------
|
||||||
|
testdata/testinput1 | 9 +++++++
|
||||||
|
testdata/testinput11 | 3 +++
|
||||||
|
testdata/testinput2 | 2 --
|
||||||
|
testdata/testinput9 | 3 +++
|
||||||
|
testdata/testoutput1 | 12 ++++++++++
|
||||||
|
testdata/testoutput11-16 | 4 ++++
|
||||||
|
testdata/testoutput11-32 | 4 ++++
|
||||||
|
testdata/testoutput2 | 3 ---
|
||||||
|
testdata/testoutput9 | 4 ++++
|
||||||
|
|
||||||
|
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
|
||||||
|
index e811f12..4bd5be0 100644
|
||||||
|
--- a/src/pcre2_compile.c
|
||||||
|
+++ b/src/pcre2_compile.c
|
||||||
|
@@ -1398,32 +1398,47 @@ static BOOL
|
||||||
|
read_repeat_counts(PCRE2_SPTR *ptrptr, PCRE2_SPTR ptrend, uint32_t *minp,
|
||||||
|
uint32_t *maxp, int *errorcodeptr)
|
||||||
|
{
|
||||||
|
-PCRE2_SPTR p = *ptrptr;
|
||||||
|
+PCRE2_SPTR p;
|
||||||
|
BOOL yield = FALSE;
|
||||||
|
+BOOL had_comma = FALSE;
|
||||||
|
int32_t min = 0;
|
||||||
|
int32_t max = REPEAT_UNLIMITED; /* This value is larger than MAX_REPEAT_COUNT */
|
||||||
|
|
||||||
|
-/* NB read_number() initializes the error code to zero. The only error is for a
|
||||||
|
-number that is too big. */
|
||||||
|
+/* Check the syntax */
|
||||||
|
|
||||||
|
+*errorcodeptr = 0;
|
||||||
|
+for (p = *ptrptr;; p++)
|
||||||
|
+ {
|
||||||
|
+ uint32_t c;
|
||||||
|
+ if (p >= ptrend) return FALSE;
|
||||||
|
+ c = *p;
|
||||||
|
+ if (IS_DIGIT(c)) continue;
|
||||||
|
+ if (c == CHAR_RIGHT_CURLY_BRACKET) break;
|
||||||
|
+ if (c == CHAR_COMMA)
|
||||||
|
+ {
|
||||||
|
+ if (had_comma) return FALSE;
|
||||||
|
+ had_comma = TRUE;
|
||||||
|
+ }
|
||||||
|
+ else return FALSE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+/* The only error from read_number() is for a number that is too big. */
|
||||||
|
+
|
||||||
|
+p = *ptrptr;
|
||||||
|
if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &min, errorcodeptr))
|
||||||
|
goto EXIT;
|
||||||
|
|
||||||
|
-if (p >= ptrend) goto EXIT;
|
||||||
|
-
|
||||||
|
if (*p == CHAR_RIGHT_CURLY_BRACKET)
|
||||||
|
{
|
||||||
|
p++;
|
||||||
|
max = min;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
else
|
||||||
|
{
|
||||||
|
- if (*p++ != CHAR_COMMA || p >= ptrend) goto EXIT;
|
||||||
|
- if (*p != CHAR_RIGHT_CURLY_BRACKET)
|
||||||
|
+ if (*(++p) != CHAR_RIGHT_CURLY_BRACKET)
|
||||||
|
{
|
||||||
|
if (!read_number(&p, ptrend, -1, MAX_REPEAT_COUNT, ERR5, &max,
|
||||||
|
- errorcodeptr) || p >= ptrend || *p != CHAR_RIGHT_CURLY_BRACKET)
|
||||||
|
+ errorcodeptr))
|
||||||
|
goto EXIT;
|
||||||
|
if (max < min)
|
||||||
|
{
|
||||||
|
@@ -1438,11 +1453,10 @@ yield = TRUE;
|
||||||
|
if (minp != NULL) *minp = (uint32_t)min;
|
||||||
|
if (maxp != NULL) *maxp = (uint32_t)max;
|
||||||
|
|
||||||
|
-/* Update the pattern pointer on success, or after an error, but not when
|
||||||
|
-the result is "not a repeat quantifier". */
|
||||||
|
+/* Update the pattern pointer */
|
||||||
|
|
||||||
|
EXIT:
|
||||||
|
-if (yield || *errorcodeptr != 0) *ptrptr = p;
|
||||||
|
+*ptrptr = p;
|
||||||
|
return yield;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -1776,19 +1790,23 @@ else
|
||||||
|
{
|
||||||
|
oldptr = ptr;
|
||||||
|
ptr--; /* Back to the digit */
|
||||||
|
- if (!read_number(&ptr, ptrend, -1, INT_MAX/10 - 1, ERR61, &s,
|
||||||
|
- errorcodeptr))
|
||||||
|
- break;
|
||||||
|
|
||||||
|
- /* \1 to \9 are always back references. \8x and \9x are too; \1x to \7x
|
||||||
|
+ /* As we know we are at a digit, the only possible error from
|
||||||
|
+ read_number() is a number that is too large to be a group number. In this
|
||||||
|
+ case we fall through handle this as not a group reference. If we have
|
||||||
|
+ read a small enough number, check for a back reference.
|
||||||
|
+
|
||||||
|
+ \1 to \9 are always back references. \8x and \9x are too; \1x to \7x
|
||||||
|
are octal escapes if there are not that many previous captures. */
|
||||||
|
|
||||||
|
- if (s < 10 || oldptr[-1] >= CHAR_8 || s <= (int)cb->bracount)
|
||||||
|
+ if (read_number(&ptr, ptrend, -1, INT_MAX/10 - 1, 0, &s, errorcodeptr) &&
|
||||||
|
+ (s < 10 || oldptr[-1] >= CHAR_8 || s <= (int)cb->bracount))
|
||||||
|
{
|
||||||
|
if (s > (int)MAX_GROUP_NUMBER) *errorcodeptr = ERR61;
|
||||||
|
else escape = -s; /* Indicates a back reference */
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
ptr = oldptr; /* Put the pointer back and fall through */
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/testdata/testinput1 b/testdata/testinput1
|
||||||
|
index d4e42ba..bb4ddb7 100644
|
||||||
|
--- a/testdata/testinput1
|
||||||
|
+++ b/testdata/testinput1
|
||||||
|
@@ -6420,4 +6420,13 @@ ef) x/x,mark
|
||||||
|
/(?(DEFINE)(?<foo>bar))(?<![-a-z0-9])word/
|
||||||
|
word
|
||||||
|
|
||||||
|
+/a{1,2,3}b/
|
||||||
|
+ a{1,2,3}b
|
||||||
|
+
|
||||||
|
+/\214748364/
|
||||||
|
+ >\x{8c}748364<
|
||||||
|
+
|
||||||
|
+/a{65536/
|
||||||
|
+ >a{65536<
|
||||||
|
+
|
||||||
|
# End of testinput1
|
||||||
|
diff --git a/testdata/testinput11 b/testdata/testinput11
|
||||||
|
index 2d267d6..2bc8a25 100644
|
||||||
|
--- a/testdata/testinput11
|
||||||
|
+++ b/testdata/testinput11
|
||||||
|
@@ -368,4 +368,7 @@
|
||||||
|
abÿAz
|
||||||
|
ab\x{80000041}z
|
||||||
|
|
||||||
|
+/(?i:A{1,}\6666666666)/
|
||||||
|
+ A\x{1b6}6666666
|
||||||
|
+
|
||||||
|
# End of testinput11
|
||||||
|
diff --git a/testdata/testinput2 b/testdata/testinput2
|
||||||
|
index 3f9dd6d..87e3394 100644
|
||||||
|
--- a/testdata/testinput2
|
||||||
|
+++ b/testdata/testinput2
|
||||||
|
@@ -2189,8 +2189,6 @@
|
||||||
|
|
||||||
|
/a(*MARK)b/
|
||||||
|
|
||||||
|
-/(?i:A{1,}\6666666666)/
|
||||||
|
-
|
||||||
|
/\g6666666666/
|
||||||
|
|
||||||
|
/[\g6666666666]/B
|
||||||
|
diff --git a/testdata/testinput9 b/testdata/testinput9
|
||||||
|
index 7be4b15..4eb228a 100644
|
||||||
|
--- a/testdata/testinput9
|
||||||
|
+++ b/testdata/testinput9
|
||||||
|
@@ -260,4 +260,7 @@
|
||||||
|
|
||||||
|
/(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/
|
||||||
|
|
||||||
|
+/(?i:A{1,}\6666666666)/
|
||||||
|
+ A\x{1b6}6666666
|
||||||
|
+
|
||||||
|
# End of testinput9
|
||||||
|
diff --git a/testdata/testoutput1 b/testdata/testoutput1
|
||||||
|
index 16c91d2..05b310b 100644
|
||||||
|
--- a/testdata/testoutput1
|
||||||
|
+++ b/testdata/testoutput1
|
||||||
|
@@ -10176,4 +10176,16 @@ No match
|
||||||
|
word
|
||||||
|
0: word
|
||||||
|
|
||||||
|
+/a{1,2,3}b/
|
||||||
|
+ a{1,2,3}b
|
||||||
|
+ 0: a{1,2,3}b
|
||||||
|
+
|
||||||
|
+/\214748364/
|
||||||
|
+ >\x{8c}748364<
|
||||||
|
+ 0: \x8c748364
|
||||||
|
+
|
||||||
|
+/a{65536/
|
||||||
|
+ >a{65536<
|
||||||
|
+ 0: a{65536
|
||||||
|
+
|
||||||
|
# End of testinput1
|
||||||
|
diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16
|
||||||
|
index 78bf7fb..8768785 100644
|
||||||
|
--- a/testdata/testoutput11-16
|
||||||
|
+++ b/testdata/testoutput11-16
|
||||||
|
@@ -661,4 +661,8 @@ Subject length lower bound = 1
|
||||||
|
abÿAz
|
||||||
|
ab\x{80000041}z
|
||||||
|
|
||||||
|
+/(?i:A{1,}\6666666666)/
|
||||||
|
+ A\x{1b6}6666666
|
||||||
|
+ 0: A\x{1b6}6666666
|
||||||
|
+
|
||||||
|
# End of testinput11
|
||||||
|
diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32
|
||||||
|
index 4b00384..2c95f61 100644
|
||||||
|
--- a/testdata/testoutput11-32
|
||||||
|
+++ b/testdata/testoutput11-32
|
||||||
|
@@ -667,4 +667,8 @@ Subject length lower bound = 1
|
||||||
|
ab\x{80000041}z
|
||||||
|
0: ab\x{80000041}z
|
||||||
|
|
||||||
|
+/(?i:A{1,}\6666666666)/
|
||||||
|
+ A\x{1b6}6666666
|
||||||
|
+ 0: A\x{1b6}6666666
|
||||||
|
+
|
||||||
|
# End of testinput11
|
||||||
|
diff --git a/testdata/testoutput2 b/testdata/testoutput2
|
||||||
|
index dc17011..4d8f65d 100644
|
||||||
|
--- a/testdata/testoutput2
|
||||||
|
+++ b/testdata/testoutput2
|
||||||
|
@@ -8374,9 +8374,6 @@ No match
|
||||||
|
/a(*MARK)b/
|
||||||
|
Failed: error 166 at offset 7: (*MARK) must have an argument
|
||||||
|
|
||||||
|
-/(?i:A{1,}\6666666666)/
|
||||||
|
-Failed: error 161 at offset 19: subpattern number is too big
|
||||||
|
-
|
||||||
|
/\g6666666666/
|
||||||
|
Failed: error 161 at offset 7: subpattern number is too big
|
||||||
|
|
||||||
|
diff --git a/testdata/testoutput9 b/testdata/testoutput9
|
||||||
|
index f98f276..1ec4317 100644
|
||||||
|
--- a/testdata/testoutput9
|
||||||
|
+++ b/testdata/testoutput9
|
||||||
|
@@ -367,4 +367,8 @@ Failed: error 134 at offset 14: character code point value in \x{} or \o{} is to
|
||||||
|
/(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/
|
||||||
|
Failed: error 176 at offset 259: name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN)
|
||||||
|
|
||||||
|
+/(?i:A{1,}\6666666666)/
|
||||||
|
+Failed: error 151 at offset 13: octal value is greater than \377 in 8-bit non-UTF-8 mode
|
||||||
|
+ A\x{1b6}6666666
|
||||||
|
+
|
||||||
|
# End of testinput9
|
||||||
|
--
|
||||||
|
2.26.2
|
||||||
|
|
10
pcre2.spec
10
pcre2.spec
@ -9,7 +9,7 @@
|
|||||||
#%%global rcversion RC1
|
#%%global rcversion RC1
|
||||||
Name: pcre2
|
Name: pcre2
|
||||||
Version: 10.36
|
Version: 10.36
|
||||||
Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist}.1
|
Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}
|
||||||
%global myversion %{version}%{?rcversion:-%rcversion}
|
%global myversion %{version}%{?rcversion:-%rcversion}
|
||||||
Summary: Perl-compatible regular expression library
|
Summary: Perl-compatible regular expression library
|
||||||
# the library: BSD with exceptions
|
# the library: BSD with exceptions
|
||||||
@ -54,6 +54,10 @@ Patch0: pcre2-10.10-Fix-multilib.patch
|
|||||||
# Fix a possible NULL pointer dereference in auto_possessify(),
|
# Fix a possible NULL pointer dereference in auto_possessify(),
|
||||||
# upstream bug #2686, in upstream after 10.36
|
# upstream bug #2686, in upstream after 10.36
|
||||||
Patch1: pcre2-10.36-Get-rid-of-gcc-fanalyzer-error-though-it-was-probabl.patch
|
Patch1: pcre2-10.36-Get-rid-of-gcc-fanalyzer-error-though-it-was-probabl.patch
|
||||||
|
# Fix misparsing long numbers as a backreference and a number without
|
||||||
|
# a closing bracket as a quantifier, upstream bug #2690, in upstream after
|
||||||
|
# 10.36
|
||||||
|
Patch2: pcre2-10.36-Fix-some-numerical-checking-bugs-Bugzilla-2690.patch
|
||||||
BuildRequires: autoconf
|
BuildRequires: autoconf
|
||||||
BuildRequires: automake
|
BuildRequires: automake
|
||||||
BuildRequires: coreutils
|
BuildRequires: coreutils
|
||||||
@ -257,6 +261,10 @@ make %{?_smp_mflags} check VERBOSE=yes
|
|||||||
%{_mandir}/man1/pcre2test.*
|
%{_mandir}/man1/pcre2test.*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 02 2021 Petr Pisar <ppisar@redhat.com> - 10.36-3
|
||||||
|
- Fix misparsing long numbers as a backreference and a number without
|
||||||
|
a closing bracket as a quantifier (upstream bug #2690)
|
||||||
|
|
||||||
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 10.36-2.1
|
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 10.36-2.1
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user