From 47a183090f3590c393321aa3bdee113f192502b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 5 Aug 2019 11:00:51 +0200 Subject: [PATCH] Fix an incorrect computation of a group length when a branch exceeds 65535 --- ...mputation-of-group-length-when-one-b.patch | 134 ++++++++++++++++++ pcre2.spec | 10 +- 2 files changed, 143 insertions(+), 1 deletion(-) create mode 100644 pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch diff --git a/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch b/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch new file mode 100644 index 0000000..bcfeeaf --- /dev/null +++ b/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch @@ -0,0 +1,134 @@ +From 4c3e518bff94e5f206a63e3a1e5d7e570402786b Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Sat, 3 Aug 2019 08:30:40 +0000 +Subject: [PATCH] Fix incorrect computation of group length when one branch + exceeded 65535. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1155 6239d852-aaf2-0410-a92c-79f79f948069 +Petr Písař: Ported to 10.33. + +Signed-off-by: Petr Písař +--- + src/pcre2_study.c | 18 ++++++++++++------ + testdata/testinput2 | 8 ++++++++ + testdata/testoutput2 | 27 +++++++++++++++++++++++++++ + 3 files changed, 47 insertions(+), 6 deletions(-) + +diff --git a/src/pcre2_study.c b/src/pcre2_study.c +index e883c2e..cb5e7f1 100644 +--- a/src/pcre2_study.c ++++ b/src/pcre2_study.c +@@ -103,6 +103,7 @@ find_minlength(const pcre2_real_code *re, PCRE2_SPTR code, + int *backref_cache) + { + int length = -1; ++int branchlength = 0; + int prev_cap_recno = -1; + int prev_cap_d = 0; + int prev_recurse_recno = -1; +@@ -110,9 +111,9 @@ int prev_recurse_d = 0; + uint32_t once_fudge = 0; + BOOL had_recurse = FALSE; + BOOL dupcapused = (re->flags & PCRE2_DUPCAPUSED) != 0; +-recurse_check this_recurse; +-int branchlength = 0; ++PCRE2_SPTR nextbranch = code + GET(code, 1); + PCRE2_UCHAR *cc = (PCRE2_UCHAR *)code + 1 + LINK_SIZE; ++recurse_check this_recurse; + + /* If this is a "could be empty" group, its minimum length is 0. */ + +@@ -128,16 +129,20 @@ if ((*countptr)++ > 1000) return -1; + + /* Scan along the opcodes for this branch. If we get to the end of the branch, + check the length against that of the other branches. If the accumulated length +-passes 16-bits, stop. */ ++passes 16-bits, reset to that value and skip the rest of the branch. */ + + for (;;) + { + int d, min, recno; +- PCRE2_UCHAR *cs, *ce; +- PCRE2_UCHAR op = *cc; ++ PCRE2_UCHAR op, *cs, *ce; + +- if (branchlength >= UINT16_MAX) return UINT16_MAX; ++ if (branchlength >= UINT16_MAX) ++ { ++ branchlength = UINT16_MAX; ++ cc = (PCRE2_UCHAR *)nextbranch; ++ } + ++ op = *cc; + switch (op) + { + case OP_COND: +@@ -227,6 +232,7 @@ for (;;) + if (length < 0 || (!had_recurse && branchlength < length)) + length = branchlength; + if (op != OP_ALT) return length; ++ nextbranch = cc + GET(cc, 1); + cc += 1 + LINK_SIZE; + branchlength = 0; + had_recurse = FALSE; +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 1bfe591..384239a 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5603,4 +5603,12 @@ a)"xI + # Expect error (recursion => not fixed length) + /(\2)((?=(?<=\1)))/ + ++/\A\s*(a|(?:[^`]{28500}){4})/I ++ a ++ ++/\A\s*((?:[^`]{28500}){4})/I ++ ++/\A\s*((?:[^`]{28500}){4}|a)/I ++ a ++ + # End of testinput2 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 758b4db..0983741 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -16956,6 +16956,33 @@ No match + /(\2)((?=(?<=\1)))/ + Failed: error 125 at offset 8: lookbehind assertion is not fixed length + ++/\A\s*(a|(?:[^`]{28500}){4})/I ++Capture group count = 1 ++Max lookbehind = 1 ++Compile options: ++Overall options: anchored ++Subject length lower bound = 1 ++ a ++ 0: a ++ 1: a ++ ++/\A\s*((?:[^`]{28500}){4})/I ++Capture group count = 1 ++Max lookbehind = 1 ++Compile options: ++Overall options: anchored ++Subject length lower bound = 65535 ++ ++/\A\s*((?:[^`]{28500}){4}|a)/I ++Capture group count = 1 ++Max lookbehind = 1 ++Compile options: ++Overall options: anchored ++Subject length lower bound = 1 ++ a ++ 0: a ++ 1: a ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data +-- +2.20.1 + diff --git a/pcre2.spec b/pcre2.spec index 1655cd0..1409140 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -9,7 +9,7 @@ #%%global rcversion RC1 Name: pcre2 Version: 10.33 -Release: %{?rcversion:0.}9%{?rcversion:.%rcversion}%{?dist}.1 +Release: %{?rcversion:0.}10%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library # the library: BSD with exceptions @@ -83,6 +83,9 @@ Patch11: pcre2-10.33-Fix-lookbehind-within-lookahead-within-lookbehind-mi.pat # 2/2 Fix a mismatch with a lookbehind within a lookahead within a lookbehind, # upstream bug #2412, in upstream after 10.33 Patch12: pcre2-10.33-Fix-bug-in-recent-patch-for-lookbehinds-within-looka.patch +# Fix an incorrect computation of a group length when a branch exceeds 65535, +# upstream bug #2428, in upstream after 10.33 +Patch13: pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -171,6 +174,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test. %patch10 -p1 %patch11 -p1 %patch12 -p1 +%patch13 -p1 # Because of multilib patch libtoolize --copy --force autoreconf -vif @@ -269,6 +273,10 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcre2test.* %changelog +* Mon Aug 05 2019 Petr Pisar - 10.33-10 +- Fix an incorrect computation of a group length when a branch exceeds 65535 + (upstream bug #2428) + * Fri Jul 26 2019 Fedora Release Engineering - 10.33-9.1 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild