Fix a use after free when freeing JIT memory

2019-10-29 17:00:32 +01:00 · 2019-10-29 17:00:32 +01:00 · 74b9e8096b
commit 74b9e8096b
parent 166ed27379
2 changed files with 76 additions and 1 deletions
--- a/pcre2-10.33-Fix-use-after-free-and-compilation-error-in-JIT.patch
+++ b/pcre2-10.33-Fix-use-after-free-and-compilation-error-in-JIT.patch
@ -0,0 +1,68 @@
+From 2a182963f0b897ea898693771b885a5cead47826 Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Sun, 6 Oct 2019 03:36:20 +0000
+Subject: [PATCH] Fix use after free and compilation error in JIT.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1175 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_jit_compile.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index bd423a7..aea563d 100644
+--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
+@@ -13749,7 +13749,7 @@ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
+   sljit_free_compiler(compiler);
+   SLJIT_FREE(common->optimized_cbracket, allocator_data);
+   SLJIT_FREE(common->private_data_ptrs, allocator_data);
+-  PRIV(jit_free_rodata)(common->read_only_data_head, compiler->allocator_data);
+  PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+   return PCRE2_ERROR_NOMEMORY;
+   }
+ 
+@@ -13803,7 +13803,7 @@ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
+   sljit_free_compiler(compiler);
+   SLJIT_FREE(common->optimized_cbracket, allocator_data);
+   SLJIT_FREE(common->private_data_ptrs, allocator_data);
+-  PRIV(jit_free_rodata)(common->read_only_data_head, compiler->allocator_data);
+  PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+   return PCRE2_ERROR_NOMEMORY;
+   }
+ 
+@@ -13892,7 +13892,7 @@ while (common->currententry != NULL)
+     sljit_free_compiler(compiler);
+     SLJIT_FREE(common->optimized_cbracket, allocator_data);
+     SLJIT_FREE(common->private_data_ptrs, allocator_data);
+-    PRIV(jit_free_rodata)(common->read_only_data_head, compiler->allocator_data);
+    PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+     return PCRE2_ERROR_NOMEMORY;
+     }
+   flush_stubs(common);
+@@ -14044,7 +14044,7 @@ while (label_addr != NULL)
+ sljit_free_compiler(compiler);
+ if (executable_func == NULL)
+   {
+-  PRIV(jit_free_rodata)(common->read_only_data_head, compiler->allocator_data);
+  PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+   return PCRE2_ERROR_NOMEMORY;
+   }
+ 
+@@ -14059,7 +14059,7 @@ else
+     /* This case is highly unlikely since we just recently
+     freed a lot of memory. Not impossible though. */
+     sljit_free_code(executable_func);
+-    PRIV(jit_free_rodata)(common->read_only_data_head, compiler->allocator_data);
+    PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
+     return PCRE2_ERROR_NOMEMORY;
+     }
+   memset(functions, 0, sizeof(executable_functions));
+-- 
+2.21.0
+
--- a/pcre2.spec
+++ b/pcre2.spec
@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}14%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}15%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@ -97,6 +97,9 @@ Patch15:    pcre2-10.33-Fix-bug-introduced-in-commit-1133.-Lookbehinds-that-.pat
 # Fix a crash in JIT match when a subject has a zero length and an invalid
 # pointer, upstream bug #2440, in upstream after 10.33
 Patch16:    pcre2-10.33-Add-underflow-check-in-JIT.patch
+# Fix a use after free when freeing JIT memory, upstream bug #2453,
+# in upstream after 10.33
+Patch17:    pcre2-10.33-Fix-use-after-free-and-compilation-error-in-JIT.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -191,6 +194,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -289,6 +293,9 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*

 %changelog
+* Tue Oct 29 2019 Petr Pisar <ppisar@redhat.com> - 10.33-15
+- Fix a use after free when freeing JIT memory (upstream bug #2453)
+
 * Mon Sep 09 2019 Petr Pisar <ppisar@redhat.com> - 10.33-14
 - Fix a crash in JIT match when a subject has a zero length and an invalid
  pointer (upstream bug #2440)