Fix an incorrect computation of a group length when a branch exceeds 65535

2019-08-05 11:00:51 +02:00 · 2019-08-05 11:00:51 +02:00 · 47a183090f
commit 47a183090f
parent 3ba0e7ba2f
2 changed files with 143 additions and 1 deletions
--- a/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
+++ b/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
@ -0,0 +1,134 @@
+From 4c3e518bff94e5f206a63e3a1e5d7e570402786b Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Sat, 3 Aug 2019 08:30:40 +0000
+Subject: [PATCH] Fix incorrect computation of group length when one branch
+ exceeded 65535.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1155 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_study.c    | 18 ++++++++++++------
+ testdata/testinput2  |  8 ++++++++
+ testdata/testoutput2 | 27 +++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+), 6 deletions(-)
+
+diff --git a/src/pcre2_study.c b/src/pcre2_study.c
+index e883c2e..cb5e7f1 100644
+--- a/src/pcre2_study.c
+++ b/src/pcre2_study.c
+@@ -103,6 +103,7 @@ find_minlength(const pcre2_real_code *re, PCRE2_SPTR code,
+   int *backref_cache)
+ {
+ int length = -1;
+int branchlength = 0;
+ int prev_cap_recno = -1;
+ int prev_cap_d = 0;
+ int prev_recurse_recno = -1;
+@@ -110,9 +111,9 @@ int prev_recurse_d = 0;
+ uint32_t once_fudge = 0;
+ BOOL had_recurse = FALSE;
+ BOOL dupcapused = (re->flags & PCRE2_DUPCAPUSED) != 0;
+-recurse_check this_recurse;
+-int branchlength = 0;
+PCRE2_SPTR nextbranch = code + GET(code, 1);
+ PCRE2_UCHAR *cc = (PCRE2_UCHAR *)code + 1 + LINK_SIZE;
+recurse_check this_recurse;
+ 
+ /* If this is a "could be empty" group, its minimum length is 0. */
+ 
+@@ -128,16 +129,20 @@ if ((*countptr)++ > 1000) return -1;
+ 
+ /* Scan along the opcodes for this branch. If we get to the end of the branch,
+ check the length against that of the other branches. If the accumulated length
+-passes 16-bits, stop. */
+passes 16-bits, reset to that value and skip the rest of the branch. */
+ 
+ for (;;)
+   {
+   int d, min, recno;
+-  PCRE2_UCHAR *cs, *ce;
+-  PCRE2_UCHAR op = *cc;
+  PCRE2_UCHAR op, *cs, *ce;
+ 
+-  if (branchlength >= UINT16_MAX) return UINT16_MAX;
+  if (branchlength >= UINT16_MAX)
+    {
+    branchlength = UINT16_MAX;
+    cc = (PCRE2_UCHAR *)nextbranch;
+    }
+ 
+  op = *cc;
+   switch (op)
+     {
+     case OP_COND:
+@@ -227,6 +232,7 @@ for (;;)
+     if (length < 0 || (!had_recurse && branchlength < length))
+       length = branchlength;
+     if (op != OP_ALT) return length;
+    nextbranch = cc + GET(cc, 1);
+     cc += 1 + LINK_SIZE;
+     branchlength = 0;
+     had_recurse = FALSE;
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index 1bfe591..384239a 100644
+--- a/testdata/testinput2
+++ b/testdata/testinput2
+@@ -5603,4 +5603,12 @@ a)"xI
+ # Expect error (recursion => not fixed length)
+ /(\2)((?=(?<=\1)))/
+ 
+/\A\s*(a|(?:[^`]{28500}){4})/I
+    a
+
+/\A\s*((?:[^`]{28500}){4})/I
+
+/\A\s*((?:[^`]{28500}){4}|a)/I
+    a
+
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 758b4db..0983741 100644
+--- a/testdata/testoutput2
+++ b/testdata/testoutput2
+@@ -16956,6 +16956,33 @@ No match
+ /(\2)((?=(?<=\1)))/
+ Failed: error 125 at offset 8: lookbehind assertion is not fixed length
+ 
+/\A\s*(a|(?:[^`]{28500}){4})/I
+Capture group count = 1
+Max lookbehind = 1
+Compile options: <none>
+Overall options: anchored
+Subject length lower bound = 1
+    a
+ 0: a
+ 1: a
+
+/\A\s*((?:[^`]{28500}){4})/I
+Capture group count = 1
+Max lookbehind = 1
+Compile options: <none>
+Overall options: anchored
+Subject length lower bound = 65535
+
+/\A\s*((?:[^`]{28500}){4}|a)/I
+Capture group count = 1
+Max lookbehind = 1
+Compile options: <none>
+Overall options: anchored
+Subject length lower bound = 1
+    a
+ 0: a
+ 1: a
+
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}9%{?rcversion:.%rcversion}%{?dist}.1
+Release:    %{?rcversion:0.}10%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -83,6 +83,9 @@ Patch11:    pcre2-10.33-Fix-lookbehind-within-lookahead-within-lookbehind-mi.pat
 # 2/2 Fix a mismatch with a lookbehind within a lookahead within a lookbehind,
 # upstream bug #2412, in upstream after 10.33
 Patch12:    pcre2-10.33-Fix-bug-in-recent-patch-for-lookbehinds-within-looka.patch
+# Fix an incorrect computation of a group length when a branch exceeds 65535,
+# upstream bug #2428, in upstream after 10.33
+Patch13:    pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -171,6 +174,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -269,6 +273,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*

 %changelog
+* Mon Aug 05 2019 Petr Pisar <ppisar@redhat.com> - 10.33-10
+- Fix an incorrect computation of a group length when a branch exceeds 65535
+  (upstream bug #2428)
+
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 10.33-9.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild