From 0f3dd4d6aaa85e9d7cfd87af4e67171f011b70a9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 11 Jul 2019 10:17:01 +0200
Subject: [PATCH] Fix an integer overflow when checking a lookbehind length

---
 pcre2-10.33-Additional-overflow-test.patch    |  54 +++++++++
 ...r-overflow-when-computing-lookbehind.patch | 108 ++++++++++++++++++
 pcre2.spec                                    |  13 ++-
 3 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 pcre2-10.33-Additional-overflow-test.patch
 create mode 100644 pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch

diff --git a/pcre2-10.33-Additional-overflow-test.patch b/pcre2-10.33-Additional-overflow-test.patch
new file mode 100644
index 0000000..beef625
--- /dev/null
+++ b/pcre2-10.33-Additional-overflow-test.patch
@@ -0,0 +1,54 @@
+From bcf39c1828399ebc33fb92c4edaf2bdd5f891a58 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Fri, 5 Jul 2019 15:49:37 +0000
+Subject: [PATCH] Additional overflow test.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1127 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ testdata/testinput2  | 4 ++++
+ testdata/testoutput2 | 5 +++++
+ 2 files changed, 9 insertions(+)
+
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 079d6d8..9412bf6 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5591,6 +5591,10 @@ a)"xI
+ 
+ /\[()]{65535}(?<A>)/expand
+ 
++# Addition overflow
+ /( {32742} {42})(?<!\1{65481})/
+ 
++# Multiplication overflow
++/(X{65535})(?<=\1{32770})/
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index bfe61a3..950095f 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -16940,9 +16940,14 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
+ /\[()]{65535}(?<A>)/expand
+ Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
+ 
++# Addition overflow
+ /( {32742} {42})(?<!\1{65481})/
+ Failed: error 187 at offset 15: lookbehind assertion is too long
+ 
++# Multiplication overflow
++/(X{65535})(?<=\1{32770})/
++Failed: error 187 at offset 10: lookbehind assertion is too long
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+
diff --git a/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch b/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
new file mode 100644
index 0000000..29ffd62
--- /dev/null
+++ b/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
@@ -0,0 +1,108 @@
+From cdefe642dc2e6b5b8e6703773934813f317bc488 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Thu, 4 Jul 2019 17:01:53 +0000
+Subject: [PATCH] Check for integer overflow when computing lookbehind lengths.
+ Fixes Clusterfuzz issue 13656.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1126 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_compile.c  | 38 ++++++++++++++++++++++++++++----------
+ testdata/testinput2  |  2 ++
+ testdata/testoutput2 |  3 +++
+ 3 files changed, 33 insertions(+), 10 deletions(-)
+
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index c82c6ca..f6e0a0b 100644
+--- a/src/pcre2_compile.c
++++ b/src/pcre2_compile.c
+@@ -9197,8 +9197,26 @@ for (;; pptr++)
+     case META_MINMAX_QUERY:
+     if (pptr[1] == pptr[2])
+       {
+-      if (pptr[1] == 0) branchlength -= lastitemlength;
+-        else itemlength = (pptr[1] - 1) * lastitemlength;
++      switch(pptr[1])
++        {
++        case 0:
++        branchlength -= lastitemlength;
++        break;
++
++        case 1:
++        itemlength = 0;
++        break;
++
++        default:  /* Check for integer overflow */
++        if (lastitemlength != 0 &&  /* Should not occur, but just in case */
++            INT_MAX/lastitemlength < pptr[1] - 1)
++          {
++          *errcodeptr = ERR87;  /* Integer overflow; lookbehind too big */
++          return -1;
++          }
++        itemlength = (pptr[1] - 1) * lastitemlength;
++        break;
++        }
+       pptr += 2;
+       break;
+       }
+@@ -9212,19 +9230,19 @@ for (;; pptr++)
+     return -1;
+     }
+ 
+-  /* Add the item length to the branchlength, and save it for use if the next
+-  thing is a quantifier. */
+-
+-  branchlength += itemlength;
+-  lastitemlength = itemlength;
+-
+-  /* Ensure that the length does not overflow the limit. */
++  /* Add the item length to the branchlength, checking for integer overflow and
++  for the branch length exceeding the limit. */
+ 
+-  if (branchlength > LOOKBEHIND_MAX)
++  if (INT_MAX - branchlength < (int)itemlength ||
++      (branchlength += itemlength) > LOOKBEHIND_MAX)
+     {
+     *errcodeptr = ERR87;
+     return -1;
+     }
++
++  /* Save this item length for use if the next item is a quantifier. */
++
++  lastitemlength = itemlength;
+   }
+ 
+ EXIT:
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 8a98f94..079d6d8 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5591,4 +5591,6 @@ a)"xI
+ 
+ /\[()]{65535}(?<A>)/expand
+ 
++/( {32742} {42})(?<!\1{65481})/
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 158fbad..bfe61a3 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -16940,6 +16940,9 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
+ /\[()]{65535}(?<A>)/expand
+ Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
+ 
++/( {32742} {42})(?<!\1{65481})/
++Failed: error 187 at offset 15: lookbehind assertion is too long
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+
diff --git a/pcre2.spec b/pcre2.spec
index bcd2550..8722836 100644
--- a/pcre2.spec
+++ b/pcre2.spec
@@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}6%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}7%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@@ -71,6 +71,12 @@ Patch7:     pcre2-10.33-Don-t-ignore-1-when-it-is-applied-to-a-parenthesized.pat
 # Fix a DFA to recognize a partial match if the end of a subject is encountered
 # in a lookahead, an atomic group, or a recursion, in upstream after 10.33
 Patch8:     pcre2-10.33-Fix-partial-matching-bug-in-pcre2_dfa_match.patch
+# 1/2 Fix an integer overflow when checking a lookbehind length,
+# in upstream after 10.33
+Patch9:     pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
+# 2/2 Fix an integer overflow when checking a lookbehind length,
+# in upstream after 10.33
+Patch10:    pcre2-10.33-Additional-overflow-test.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -155,6 +161,8 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
+%patch10 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -253,6 +261,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Thu Jul 11 2019 Petr Pisar <ppisar@redhat.com> - 10.33-7
+- Fix an integer overflow when checking a lookbehind length
+
 * Wed Jul 03 2019 Petr Pisar <ppisar@redhat.com> - 10.33-6
 - Fix a DFA to recognize a partial match if the end of a subject is encountered
   in a lookahead, an atomic group, or a recursion