Fix a crash in JIT match when a subject has a zero length and an invalid pointer

pcre2-10.33-Add-underflow-check-in-JIT.patch

@@ -0,0 +1,39 @@
+From bc7fb8964ca3a422f472189b0eff751c1cc377b0 Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Mon, 9 Sep 2019 07:12:00 +0000
+Subject: [PATCH] Add underflow check in JIT.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1167 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+---
+ src/pcre2_jit_compile.c | 8 ++++++--
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 8cbd8f9..79a27fd 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -5793,12 +5793,16 @@ if (common->match_end_ptr != 0)
+   {
+   OP1(SLJIT_MOV, TMP1, 0, SLJIT_MEM1(SLJIT_SP), common->match_end_ptr);
+   OP1(SLJIT_MOV, TMP3, 0, STR_END, 0);
+-  OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS(max));
++  OP2(SLJIT_SUB | SLJIT_SET_LESS, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS(max));
++  add_jump(compiler, &common->failed_match, JUMP(SLJIT_LESS));
+   OP2(SLJIT_SUB | SLJIT_SET_GREATER, SLJIT_UNUSED, 0, STR_END, 0, TMP1, 0);
+   CMOV(SLJIT_GREATER, STR_END, TMP1, 0);
+   }
+ else
+-  OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS(max));
++  {
++  OP2(SLJIT_SUB | SLJIT_SET_LESS, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS(max));
++  add_jump(compiler, &common->failed_match, JUMP(SLJIT_LESS));
++  }
+ 
+ SLJIT_ASSERT(range_right >= 0);
+ 
+-- 
+2.21.0
+

pcre2.spec

@@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}13%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}14%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@@ -94,6 +94,9 @@ Patch14:    pcre2-10.33-Fix-allusedtext-bug-rightmost-consulted-character-in.pat
 # upstream bug #2433, in upstream after 10.33, fixes a bug introduced in
 # Fix-lookbehind-within-lookahead-within-lookbehind-mi.patch
 Patch15:    pcre2-10.33-Fix-bug-introduced-in-commit-1133.-Lookbehinds-that-.patch
+# Fix a crash in JIT match when a subject has a zero length and an invalid
+# pointer, upstream bug #2440, in upstream after 10.33
+Patch16:    pcre2-10.33-Add-underflow-check-in-JIT.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -187,6 +190,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -285,6 +289,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Mon Sep 09 2019 Petr Pisar <ppisar@redhat.com> - 10.33-14
+- Fix a crash in JIT match when a subject has a zero length and an invalid
+  pointer (upstream bug #2440)
+
 * Tue Aug 27 2019 Petr Pisar <ppisar@redhat.com> - 10.33-13
 - Readd a fix for a mismatch with a lookbehind within a lookahead within
   a lookbehind and fix the regression in matching a lookbehind after