From 6a75cf73d1c9c269c501586ef7b83229edaa5b18 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Tue, 18 Apr 2017 14:03:40 +0200
Subject: [PATCH] Fix CVE-2017-7186 in JIT mode

---
 ...pe-detection-when-32-bit-and-UCP-are.patch | 119 ++++++++++++++++++
 pcre2.spec                                    |  12 +-
 2 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 pcre2-10.23-Fix-character-type-detection-when-32-bit-and-UCP-are.patch

diff --git a/pcre2-10.23-Fix-character-type-detection-when-32-bit-and-UCP-are.patch b/pcre2-10.23-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
new file mode 100644
index 0000000..29ee73d
--- /dev/null
+++ b/pcre2-10.23-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
@@ -0,0 +1,119 @@
+From 749c2eb6994ee26c1fcf1eb7b57faf5c84e9878b Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Fri, 31 Mar 2017 05:40:37 +0000
+Subject: [PATCH] Fix character type detection when 32-bit and UCP are enabled
+ but UTF is not in JIT.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@720 6239d852-aaf2-0410-a92c-79f79f948069
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_jit_compile.c  | 31 +++++++++++++++++++++++++++++++
+ testdata/testinput12     |  2 +-
+ testdata/testoutput12-16 |  2 +-
+ testdata/testoutput12-32 |  2 +-
+ 4 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 846510a..e93143d 100644
+--- a/src/pcre2_jit_compile.c
++++ b/src/pcre2_jit_compile.c
+@@ -588,6 +588,8 @@ the start pointers when the end of the capturing group has not yet reached. */
+ 
+ #define READ_CHAR_MAX 0x7fffffff
+ 
++#define INVALID_UTF_CHAR 888
++
+ static PCRE2_SPTR bracketend(PCRE2_SPTR cc)
+ {
+ SLJIT_ASSERT((*cc >= OP_ASSERT && *cc <= OP_ASSERTBACK_NOT) || (*cc >= OP_ONCE && *cc <= OP_SCOND));
+@@ -3558,10 +3560,30 @@ static void do_getucd(compiler_common *common)
+ /* Search the UCD record for the character comes in TMP1.
+ Returns chartype in TMP1 and UCD offset in TMP2. */
+ DEFINE_COMPILER;
++#if PCRE2_CODE_UNIT_WIDTH == 32
++struct sljit_jump *jump;
++#endif
++
++#if defined SLJIT_DEBUG && SLJIT_DEBUG
++/* dummy_ucd_record */
++const ucd_record *record = GET_UCD(INVALID_UTF_CHAR);
++SLJIT_ASSERT(record->script == ucp_Common && record->chartype == ucp_Cn && record->gbprop == ucp_gbOther);
++SLJIT_ASSERT(record->caseset == 0 && record->other_case == 0);
++#endif
+ 
+ SLJIT_ASSERT(UCD_BLOCK_SIZE == 128 && sizeof(ucd_record) == 8);
+ 
+ sljit_emit_fast_enter(compiler, RETURN_ADDR, 0);
++
++#if PCRE2_CODE_UNIT_WIDTH == 32
++if (!common->utf)
++  {
++  jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, MAX_UTF_CODE_POINT + 1);
++  OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
++  JUMPHERE(jump);
++  }
++#endif
++
+ OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
+ OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
+ OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
+@@ -5969,6 +5991,15 @@ if (needstype || needsscript)
+   if (needschar && !charsaved)
+     OP1(SLJIT_MOV, RETURN_ADDR, 0, TMP1, 0);
+ 
++#if PCRE2_CODE_UNIT_WIDTH == 32
++  if (!common->utf)
++    {
++    jump = CMP(SLJIT_LESS, TMP1, 0, SLJIT_IMM, MAX_UTF_CODE_POINT + 1);
++    OP1(SLJIT_MOV, TMP1, 0, SLJIT_IMM, INVALID_UTF_CHAR);
++    JUMPHERE(jump);
++    }
++#endif
++
+   OP2(SLJIT_LSHR, TMP2, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_SHIFT);
+   OP1(SLJIT_MOV_U8, TMP2, 0, SLJIT_MEM1(TMP2), (sljit_sw)PRIV(ucd_stage1));
+   OP2(SLJIT_AND, TMP1, 0, TMP1, 0, SLJIT_IMM, UCD_BLOCK_MASK);
+diff --git a/testdata/testinput12 b/testdata/testinput12
+index decfe82..cca5dfa 100644
+--- a/testdata/testinput12
++++ b/testdata/testinput12
+@@ -361,6 +361,6 @@
+ /[\s[:^ascii:]]/B,ucp
+ 
+ /\pP/ucp
+-    \x{7fffffff}\=no_jit
++    \x{7fffffff}
+ 
+ # End of testinput12
+diff --git a/testdata/testoutput12-16 b/testdata/testoutput12-16
+index 41e0a48..33b8a33 100644
+--- a/testdata/testoutput12-16
++++ b/testdata/testoutput12-16
+@@ -1416,7 +1416,7 @@ No match
+ ------------------------------------------------------------------
+ 
+ /\pP/ucp
+-    \x{7fffffff}\=no_jit
++    \x{7fffffff}
+ ** Character \x{7fffffff} is greater than 0xffff and UTF-16 mode is not enabled.
+ ** Truncation will probably give the wrong result.
+ No match
+diff --git a/testdata/testoutput12-32 b/testdata/testoutput12-32
+index e9130b9..1abeb59 100644
+--- a/testdata/testoutput12-32
++++ b/testdata/testoutput12-32
+@@ -1410,7 +1410,7 @@ No match
+ ------------------------------------------------------------------
+ 
+ /\pP/ucp
+-    \x{7fffffff}\=no_jit
++    \x{7fffffff}
+ No match
+ 
+ # End of testinput12
+-- 
+2.7.4
+
diff --git a/pcre2.spec b/pcre2.spec
index d513ee7..cfbd259 100644
--- a/pcre2.spec
+++ b/pcre2.spec
@@ -2,7 +2,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.23
-Release:    %{?rcversion:0.}5%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}6%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 Group:      System Environment/Libraries
@@ -70,6 +70,10 @@ Patch10:    pcre2-10.23-Fix-misbehaving-DFA-match-for-possessively-repeated-.pat
 # Use a memory allocator from the pattern if no context is supplied to
 # pcre2_match(), in upsream after 10.23
 Patch11:    pcre2-10.23-Fix-bug-introduced-at-10.21-use-memory-allocator-fro.patch
+# Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
+# a character with a code point greater than 0x10ffff in UTF-32 library while
+# UTF mode is disabled), upstream bug #2052, in upstream after 10.23
+Patch12:    pcre2-10.23-Fix-character-type-detection-when-32-bit-and-UCP-are.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -157,6 +161,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -255,6 +260,11 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Tue Apr 18 2017 Petr Pisar <ppisar@redhat.com> - 10.23-6
+- Fix CVE-2017-7186 in JIT mode (a crash when finding a Unicode property for
+  a character with a code point greater than 0x10ffff in UTF-32 library while
+  UTF mode is disabled), upstream bug #2052, in upstream after 10.23
+
 * Mon Mar 27 2017 Petr Pisar <ppisar@redhat.com> - 10.23-5
 - Fix DFA match for a possessively repeated character class (upstream bug #2086)
 - Use a memory allocator from the pattern if no context is supplied to