Fix an incorrect computation of a group length when a branch exceeds 65535

2019-08-05 11:00:51 +02:00 · 2019-08-05 11:00:51 +02:00 · 47a183090f
commit 47a183090f
parent 3ba0e7ba2f
2 changed files with 143 additions and 1 deletions
--- a/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
+++ b/pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
@ -0,0 +1,134 @@
 From 4c3e518bff94e5f206a63e3a1e5d7e570402786b Mon Sep 17 00:00:00 2001
 From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
 Date: Sat, 3 Aug 2019 08:30:40 +0000
 Subject: [PATCH] Fix incorrect computation of group length when one branch
 exceeded 65535.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1155 6239d852-aaf2-0410-a92c-79f79f948069
 Petr Písař: Ported to 10.33.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 src/pcre2_study.c    | 18 ++++++++++++------
 testdata/testinput2  |  8 ++++++++
 testdata/testoutput2 | 27 +++++++++++++++++++++++++++
 3 files changed, 47 insertions(+), 6 deletions(-)
 diff --git a/src/pcre2_study.c b/src/pcre2_study.c
 index e883c2e..cb5e7f1 100644
 --- a/src/pcre2_study.c
 +++ b/src/pcre2_study.c
@@ -103,6 +103,7 @@ find_minlength(const pcre2_real_code *re, PCRE2_SPTR code,
   int *backref_cache)
 {
 int length = -1;
 +int branchlength = 0;
 int prev_cap_recno = -1;
 int prev_cap_d = 0;
 int prev_recurse_recno = -1;
@@ -110,9 +111,9 @@ int prev_recurse_d = 0;
 uint32_t once_fudge = 0;
 BOOL had_recurse = FALSE;
 BOOL dupcapused = (re->flags & PCRE2_DUPCAPUSED) != 0;
 -recurse_check this_recurse;
 -int branchlength = 0;
 +PCRE2_SPTR nextbranch = code + GET(code, 1);
 PCRE2_UCHAR *cc = (PCRE2_UCHAR *)code + 1 + LINK_SIZE;
 +recurse_check this_recurse;
 /* If this is a "could be empty" group, its minimum length is 0. */
@@ -128,16 +129,20 @@ if ((*countptr)++ > 1000) return -1;
 /* Scan along the opcodes for this branch. If we get to the end of the branch,
 check the length against that of the other branches. If the accumulated length
 -passes 16-bits, stop. */
 +passes 16-bits, reset to that value and skip the rest of the branch. */
 for (;;)
   {
   int d, min, recno;
 -  PCRE2_UCHAR *cs, *ce;
 -  PCRE2_UCHAR op = *cc;
 +  PCRE2_UCHAR op, *cs, *ce;
 -  if (branchlength >= UINT16_MAX) return UINT16_MAX;
 +  if (branchlength >= UINT16_MAX)
 +    {
 +    branchlength = UINT16_MAX;
 +    cc = (PCRE2_UCHAR *)nextbranch;
 +    }
 +  op = *cc;
   switch (op)
     {
     case OP_COND:
@@ -227,6 +232,7 @@ for (;;)
     if (length < 0 || (!had_recurse && branchlength < length))
       length = branchlength;
     if (op != OP_ALT) return length;
 +    nextbranch = cc + GET(cc, 1);
     cc += 1 + LINK_SIZE;
     branchlength = 0;
     had_recurse = FALSE;
 diff --git a/testdata/testinput2 b/testdata/testinput2
 index 1bfe591..384239a 100644
 --- a/testdata/testinput2
 +++ b/testdata/testinput2
@@ -5603,4 +5603,12 @@ a)"xI
 # Expect error (recursion => not fixed length)
 /(\2)((?=(?<=\1)))/
 +/\A\s*(a|(?:[^`]{28500}){4})/I
 +    a
 +
 +/\A\s*((?:[^`]{28500}){4})/I
 +
 +/\A\s*((?:[^`]{28500}){4}|a)/I
 +    a
 +
 # End of testinput2
 diff --git a/testdata/testoutput2 b/testdata/testoutput2
 index 758b4db..0983741 100644
 --- a/testdata/testoutput2
 +++ b/testdata/testoutput2
@@ -16956,6 +16956,33 @@ No match
 /(\2)((?=(?<=\1)))/
 Failed: error 125 at offset 8: lookbehind assertion is not fixed length
 +/\A\s*(a|(?:[^`]{28500}){4})/I
 +Capture group count = 1
 +Max lookbehind = 1
 +Compile options: <none>
 +Overall options: anchored
 +Subject length lower bound = 1
 +    a
 + 0: a
 + 1: a
 +
 +/\A\s*((?:[^`]{28500}){4})/I
 +Capture group count = 1
 +Max lookbehind = 1
 +Compile options: <none>
 +Overall options: anchored
 +Subject length lower bound = 65535
 +
 +/\A\s*((?:[^`]{28500}){4}|a)/I
 +Capture group count = 1
 +Max lookbehind = 1
 +Compile options: <none>
 +Overall options: anchored
 +Subject length lower bound = 1
 +    a
 + 0: a
 + 1: a
 +
 # End of testinput2
 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data
 -- 
 2.20.1
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}9%{?rcversion:.%rcversion}%{?dist}.1
+Release:    %{?rcversion:0.}10%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -83,6 +83,9 @@ Patch11:    pcre2-10.33-Fix-lookbehind-within-lookahead-within-lookbehind-mi.pat
 # 2/2 Fix a mismatch with a lookbehind within a lookahead within a lookbehind,
 # upstream bug #2412, in upstream after 10.33
 Patch12:    pcre2-10.33-Fix-bug-in-recent-patch-for-lookbehinds-within-looka.patch
 # Fix an incorrect computation of a group length when a branch exceeds 65535,
 # upstream bug #2428, in upstream after 10.33
 Patch13:    pcre2-10.33-Fix-incorrect-computation-of-group-length-when-one-b.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -171,6 +174,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
 %patch13 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -269,6 +273,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 %changelog
 * Mon Aug 05 2019 Petr Pisar <ppisar@redhat.com> - 10.33-10
 - Fix an incorrect computation of a group length when a branch exceeds 65535
  (upstream bug #2428)
 * Fri Jul 26 2019 Fedora Release Engineering <releng@fedoraproject.org> - 10.33-9.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild