Fix an integer overflow when checking a lookbehind length

2019-07-11 10:17:01 +02:00 · 2019-07-11 10:17:01 +02:00 · 0f3dd4d6aa
commit 0f3dd4d6aa
parent 56a2aceb59
3 changed files with 174 additions and 1 deletions
--- a/pcre2-10.33-Additional-overflow-test.patch
+++ b/pcre2-10.33-Additional-overflow-test.patch
@ -0,0 +1,54 @@
+From bcf39c1828399ebc33fb92c4edaf2bdd5f891a58 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Fri, 5 Jul 2019 15:49:37 +0000
+Subject: [PATCH] Additional overflow test.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1127 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ testdata/testinput2  | 4 ++++
+ testdata/testoutput2 | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 079d6d8..9412bf6 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -5591,6 +5591,10 @@ a)"xI
+ 
+ /\[()]{65535}(?<A>)/expand
+ 
+# Addition overflow
+ /( {32742} {42})(?<!\1{65481})/
+ 
+# Multiplication overflow
+/(X{65535})(?<=\1{32770})/
+
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index bfe61a3..950095f 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -16940,9 +16940,14 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
+ /\[()]{65535}(?<A>)/expand
+ Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
+ 
+# Addition overflow
+ /( {32742} {42})(?<!\1{65481})/
+ Failed: error 187 at offset 15: lookbehind assertion is too long
+ 
+# Multiplication overflow
+/(X{65535})(?<=\1{32770})/
+Failed: error 187 at offset 10: lookbehind assertion is too long
+
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+
--- a/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
+++ b/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
@ -0,0 +1,108 @@
+From cdefe642dc2e6b5b8e6703773934813f317bc488 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Thu, 4 Jul 2019 17:01:53 +0000
+Subject: [PATCH] Check for integer overflow when computing lookbehind lengths.
+ Fixes Clusterfuzz issue 13656.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1126 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_compile.c  | 38 ++++++++++++++++++++++++++++----------
+ testdata/testinput2  |  2 ++
+ testdata/testoutput2 |  3 +++
+ 3 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index c82c6ca..f6e0a0b 100644
+--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
+@@ -9197,8 +9197,26 @@ for (;; pptr++)
+     case META_MINMAX_QUERY:
+     if (pptr[1] == pptr[2])
+       {
+-      if (pptr[1] == 0) branchlength -= lastitemlength;
+-        else itemlength = (pptr[1] - 1) * lastitemlength;
+      switch(pptr[1])
+        {
+        case 0:
+        branchlength -= lastitemlength;
+        break;
+
+        case 1:
+        itemlength = 0;
+        break;
+
+        default:  /* Check for integer overflow */
+        if (lastitemlength != 0 &&  /* Should not occur, but just in case */
+            INT_MAX/lastitemlength < pptr[1] - 1)
+          {
+          *errcodeptr = ERR87;  /* Integer overflow; lookbehind too big */
+          return -1;
+          }
+        itemlength = (pptr[1] - 1) * lastitemlength;
+        break;
+        }
+       pptr += 2;
+       break;
+       }
+@@ -9212,19 +9230,19 @@ for (;; pptr++)
+     return -1;
+     }
+ 
+-  /* Add the item length to the branchlength, and save it for use if the next
+-  thing is a quantifier. */
+-
+-  branchlength += itemlength;
+-  lastitemlength = itemlength;
+-
+-  /* Ensure that the length does not overflow the limit. */
+  /* Add the item length to the branchlength, checking for integer overflow and
+  for the branch length exceeding the limit. */
+ 
+-  if (branchlength > LOOKBEHIND_MAX)
+  if (INT_MAX - branchlength < (int)itemlength ||
+      (branchlength += itemlength) > LOOKBEHIND_MAX)
+     {
+     *errcodeptr = ERR87;
+     return -1;
+     }
+
+  /* Save this item length for use if the next item is a quantifier. */
+
+  lastitemlength = itemlength;
+   }
+ 
+ EXIT:
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 8a98f94..079d6d8 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -5591,4 +5591,6 @@ a)"xI
+ 
+ /\[()]{65535}(?<A>)/expand
+ 
+/( {32742} {42})(?<!\1{65481})/
+
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 158fbad..bfe61a3 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -16940,6 +16940,9 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
+ /\[()]{65535}(?<A>)/expand
+ Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
+ 
+/( {32742} {42})(?<!\1{65481})/
+Failed: error 187 at offset 15: lookbehind assertion is too long
+
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}6%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}7%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -71,6 +71,12 @@ Patch7:     pcre2-10.33-Don-t-ignore-1-when-it-is-applied-to-a-parenthesized.pat
 # Fix a DFA to recognize a partial match if the end of a subject is encountered
 # in a lookahead, an atomic group, or a recursion, in upstream after 10.33
 Patch8:     pcre2-10.33-Fix-partial-matching-bug-in-pcre2_dfa_match.patch
+# 1/2 Fix an integer overflow when checking a lookbehind length,
+# in upstream after 10.33
+Patch9:     pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
+# 2/2 Fix an integer overflow when checking a lookbehind length,
+# in upstream after 10.33
+Patch10:    pcre2-10.33-Additional-overflow-test.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -155,6 +161,8 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -253,6 +261,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*

 %changelog
+* Thu Jul 11 2019 Petr Pisar <ppisar@redhat.com> - 10.33-7
+- Fix an integer overflow when checking a lookbehind length
+
 * Wed Jul 03 2019 Petr Pisar <ppisar@redhat.com> - 10.33-6
 - Fix a DFA to recognize a partial match if the end of a subject is encountered
  in a lookahead, an atomic group, or a recursion