Fix an integer overflow when checking a lookbehind length

2019-07-11 10:17:01 +02:00 · 2019-07-11 10:17:01 +02:00 · 0f3dd4d6aa
commit 0f3dd4d6aa
parent 56a2aceb59
3 changed files with 174 additions and 1 deletions
--- a/pcre2-10.33-Additional-overflow-test.patch
+++ b/pcre2-10.33-Additional-overflow-test.patch
@ -0,0 +1,54 @@
 From bcf39c1828399ebc33fb92c4edaf2bdd5f891a58 Mon Sep 17 00:00:00 2001
 From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
 Date: Fri, 5 Jul 2019 15:49:37 +0000
 Subject: [PATCH] Additional overflow test.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1127 6239d852-aaf2-0410-a92c-79f79f948069
 Petr Písař: Ported to 10.33.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 testdata/testinput2  | 4 ++++
 testdata/testoutput2 | 5 +++++
 2 files changed, 9 insertions(+)
 diff --git a/testdata/testinput2 b/testdata/testinput2
 index 079d6d8..9412bf6 100644
 --- a/testdata/testinput2
 +++ b/testdata/testinput2
@@ -5591,6 +5591,10 @@ a)"xI
 /\[()]{65535}(?<A>)/expand
 +# Addition overflow
 /( {32742} {42})(?<!\1{65481})/
 +# Multiplication overflow
 +/(X{65535})(?<=\1{32770})/
 +
 # End of testinput2
 diff --git a/testdata/testoutput2 b/testdata/testoutput2
 index bfe61a3..950095f 100644
 --- a/testdata/testoutput2
 +++ b/testdata/testoutput2
@@ -16940,9 +16940,14 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
 /\[()]{65535}(?<A>)/expand
 Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
 +# Addition overflow
 /( {32742} {42})(?<!\1{65481})/
 Failed: error 187 at offset 15: lookbehind assertion is too long
 +# Multiplication overflow
 +/(X{65535})(?<=\1{32770})/
 +Failed: error 187 at offset 10: lookbehind assertion is too long
 +
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data
 -- 
 2.20.1
--- a/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
+++ b/pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
@ -0,0 +1,108 @@
 From cdefe642dc2e6b5b8e6703773934813f317bc488 Mon Sep 17 00:00:00 2001
 From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
 Date: Thu, 4 Jul 2019 17:01:53 +0000
 Subject: [PATCH] Check for integer overflow when computing lookbehind lengths.
 Fixes Clusterfuzz issue 13656.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1126 6239d852-aaf2-0410-a92c-79f79f948069
 Petr Písař: Ported to 10.33.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 src/pcre2_compile.c  | 38 ++++++++++++++++++++++++++++----------
 testdata/testinput2  |  2 ++
 testdata/testoutput2 |  3 +++
 3 files changed, 33 insertions(+), 10 deletions(-)
 diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
 index c82c6ca..f6e0a0b 100644
 --- a/src/pcre2_compile.c
 +++ b/src/pcre2_compile.c
@@ -9197,8 +9197,26 @@ for (;; pptr++)
     case META_MINMAX_QUERY:
     if (pptr[1] == pptr[2])
       {
 -      if (pptr[1] == 0) branchlength -= lastitemlength;
 -        else itemlength = (pptr[1] - 1) * lastitemlength;
 +      switch(pptr[1])
 +        {
 +        case 0:
 +        branchlength -= lastitemlength;
 +        break;
 +
 +        case 1:
 +        itemlength = 0;
 +        break;
 +
 +        default:  /* Check for integer overflow */
 +        if (lastitemlength != 0 &&  /* Should not occur, but just in case */
 +            INT_MAX/lastitemlength < pptr[1] - 1)
 +          {
 +          *errcodeptr = ERR87;  /* Integer overflow; lookbehind too big */
 +          return -1;
 +          }
 +        itemlength = (pptr[1] - 1) * lastitemlength;
 +        break;
 +        }
       pptr += 2;
       break;
       }
@@ -9212,19 +9230,19 @@ for (;; pptr++)
     return -1;
     }
 -  /* Add the item length to the branchlength, and save it for use if the next
 -  thing is a quantifier. */
 -
 -  branchlength += itemlength;
 -  lastitemlength = itemlength;
 -
 -  /* Ensure that the length does not overflow the limit. */
 +  /* Add the item length to the branchlength, checking for integer overflow and
 +  for the branch length exceeding the limit. */
 -  if (branchlength > LOOKBEHIND_MAX)
 +  if (INT_MAX - branchlength < (int)itemlength ||
 +      (branchlength += itemlength) > LOOKBEHIND_MAX)
     {
     *errcodeptr = ERR87;
     return -1;
     }
 +
 +  /* Save this item length for use if the next item is a quantifier. */
 +
 +  lastitemlength = itemlength;
   }
 EXIT:
 diff --git a/testdata/testinput2 b/testdata/testinput2
 index 8a98f94..079d6d8 100644
 --- a/testdata/testinput2
 +++ b/testdata/testinput2
@@ -5591,4 +5591,6 @@ a)"xI
 /\[()]{65535}(?<A>)/expand
 +/( {32742} {42})(?<!\1{65481})/
 +
 # End of testinput2
 diff --git a/testdata/testoutput2 b/testdata/testoutput2
 index 158fbad..bfe61a3 100644
 --- a/testdata/testoutput2
 +++ b/testdata/testoutput2
@@ -16940,6 +16940,9 @@ Failed: error 197 at offset 131071: too many capturing groups (maximum 65535)
 /\[()]{65535}(?<A>)/expand
 Failed: error 197 at offset 131075: too many capturing groups (maximum 65535)
 +/( {32742} {42})(?<!\1{65481})/
 +Failed: error 187 at offset 15: lookbehind assertion is too long
 +
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data
 -- 
 2.20.1
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}6%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}7%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -71,6 +71,12 @@ Patch7:     pcre2-10.33-Don-t-ignore-1-when-it-is-applied-to-a-parenthesized.pat
 # Fix a DFA to recognize a partial match if the end of a subject is encountered
 # in a lookahead, an atomic group, or a recursion, in upstream after 10.33
 Patch8:     pcre2-10.33-Fix-partial-matching-bug-in-pcre2_dfa_match.patch
 # 1/2 Fix an integer overflow when checking a lookbehind length,
 # in upstream after 10.33
 Patch9:     pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.patch
 # 2/2 Fix an integer overflow when checking a lookbehind length,
 # in upstream after 10.33
 Patch10:    pcre2-10.33-Additional-overflow-test.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -155,6 +161,8 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -253,6 +261,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 %changelog
 * Thu Jul 11 2019 Petr Pisar <ppisar@redhat.com> - 10.33-7
 - Fix an integer overflow when checking a lookbehind length
 * Wed Jul 03 2019 Petr Pisar <ppisar@redhat.com> - 10.33-6
 - Fix a DFA to recognize a partial match if the end of a subject is encountered
  in a lookahead, an atomic group, or a recursion