From 78199ab566890c6fec0e3b1bc85312db47e442fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Mon, 6 May 2019 13:16:15 +0200 Subject: [PATCH] Validate number of capturing parentheses --- ...k-on-the-number-of-capturing-parenth.patch | 174 ++++++++++++++++++ pcre2.spec | 8 +- 2 files changed, 181 insertions(+), 1 deletion(-) create mode 100644 pcre2-10.33-Implement-a-check-on-the-number-of-capturing-parenth.patch diff --git a/pcre2-10.33-Implement-a-check-on-the-number-of-capturing-parenth.patch b/pcre2-10.33-Implement-a-check-on-the-number-of-capturing-parenth.patch new file mode 100644 index 0000000..50813d8 --- /dev/null +++ b/pcre2-10.33-Implement-a-check-on-the-number-of-capturing-parenth.patch @@ -0,0 +1,174 @@ +From a38f1e7eb827408133178ffac9987157d82edaa2 Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Mon, 22 Apr 2019 12:39:38 +0000 +Subject: [PATCH] Implement a check on the number of capturing parentheses, + which for some reason has never existed. This fixes ClusterFuzz issue 14376. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1088 6239d852-aaf2-0410-a92c-79f79f948069 +Petr Pisar: Ported to 10.33. + + src/pcre2.h.in | 1 + + src/pcre2_compile.c | 12 +++++++++++- + src/pcre2_error.c | 1 + + testdata/testinput11 | 2 ++ + testdata/testinput2 | 4 ++++ + testdata/testinput9 | 2 ++ + testdata/testoutput11-16 | 3 +++ + testdata/testoutput11-32 | 2 ++ + testdata/testoutput2 | 6 ++++++ + testdata/testoutput9 | 3 +++ + +diff --git a/src/pcre2.h.in b/src/pcre2.h.in +index 9415d70..29f3688 100644 +--- a/src/pcre2.h.in ++++ b/src/pcre2.h.in +@@ -305,6 +305,7 @@ pcre2_pattern_convert(). */ + #define PCRE2_ERROR_INVALID_HYPHEN_IN_OPTIONS 194 + #define PCRE2_ERROR_ALPHA_ASSERTION_UNKNOWN 195 + #define PCRE2_ERROR_SCRIPT_RUN_NOT_AVAILABLE 196 ++#define PCRE2_ERROR_TOO_MANY_CAPTURES 197 + + + /* "Expected" matching error codes: no match and partial match. */ +diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c +index 068735a..cd6fbea 100644 +--- a/src/pcre2_compile.c ++++ b/src/pcre2_compile.c +@@ -781,7 +781,7 @@ enum { ERR0 = COMPILE_ERROR_BASE, + ERR61, ERR62, ERR63, ERR64, ERR65, ERR66, ERR67, ERR68, ERR69, ERR70, + ERR71, ERR72, ERR73, ERR74, ERR75, ERR76, ERR77, ERR78, ERR79, ERR80, + ERR81, ERR82, ERR83, ERR84, ERR85, ERR86, ERR87, ERR88, ERR89, ERR90, +- ERR91, ERR92, ERR93, ERR94, ERR95, ERR96 }; ++ ERR91, ERR92, ERR93, ERR94, ERR95, ERR96, ERR97 }; + + /* This is a table of start-of-pattern options such as (*UTF) and settings such + as (*LIMIT_MATCH=nnnn) and (*CRLF). For completeness and backward +@@ -3611,6 +3611,11 @@ while (ptr < ptrend) + nest_depth++; + if ((options & PCRE2_NO_AUTO_CAPTURE) == 0) + { ++ if (cb->bracount >= MAX_GROUP_NUMBER) ++ { ++ errorcode = ERR97; ++ goto FAILED; ++ } + cb->bracount++; + *parsed_pattern++ = META_CAPTURE | cb->bracount; + } +@@ -4435,6 +4440,11 @@ while (ptr < ptrend) + /* We have a name for this capturing group. It is also assigned a number, + which is its primary means of identification. */ + ++ if (cb->bracount >= MAX_GROUP_NUMBER) ++ { ++ errorcode = ERR97; ++ goto FAILED; ++ } + cb->bracount++; + *parsed_pattern++ = META_CAPTURE | cb->bracount; + nest_depth++; +diff --git a/src/pcre2_error.c b/src/pcre2_error.c +index 1d02cf1..5517e74 100644 +--- a/src/pcre2_error.c ++++ b/src/pcre2_error.c +@@ -184,6 +184,7 @@ static const unsigned char compile_error_texts[] = + /* 95 */ + "(*alpha_assertion) not recognized\0" + "script runs require Unicode support, which this version of PCRE2 does not have\0" ++ "too many capturing groups (maximum 65535)\0" + ; + + /* Match-time and UTF error texts are in the same format. */ +diff --git a/testdata/testinput11 b/testdata/testinput11 +index 2d267d6..fca6042 100644 +--- a/testdata/testinput11 ++++ b/testdata/testinput11 +@@ -368,4 +368,6 @@ + abÿAz + ab\x{80000041}z + ++/\[()]{65535}/expand ++ + # End of testinput11 +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 9e59b62..8a98f94 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5587,4 +5587,8 @@ a)"xI + \= Expect error message + abc\=null_context + ++/\[()]{65535}()/expand ++ ++/\[()]{65535}(?)/expand ++ + # End of testinput2 +diff --git a/testdata/testinput9 b/testdata/testinput9 +index 7be4b15..792d610 100644 +--- a/testdata/testinput9 ++++ b/testdata/testinput9 +@@ -260,4 +260,6 @@ + + /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ + ++/\[()]{65535}/expand ++ + # End of testinput9 +diff --git a/testdata/testoutput11-16 b/testdata/testoutput11-16 +index 78bf7fb..f2b9637 100644 +--- a/testdata/testoutput11-16 ++++ b/testdata/testoutput11-16 +@@ -661,4 +661,7 @@ Subject length lower bound = 1 + abÿAz + ab\x{80000041}z + ++/\[()]{65535}/expand ++Failed: error 120 at offset 131070: regular expression is too large ++ + # End of testinput11 +diff --git a/testdata/testoutput11-32 b/testdata/testoutput11-32 +index 4b00384..1908ab7 100644 +--- a/testdata/testoutput11-32 ++++ b/testdata/testoutput11-32 +@@ -667,4 +667,6 @@ Subject length lower bound = 1 + ab\x{80000041}z + 0: ab\x{80000041}z + ++/\[()]{65535}/expand ++ + # End of testinput11 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index 2f91c38..158fbad 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -16934,6 +16934,12 @@ Subject length lower bound = 0 + abc\=null_context + ** Replacement callouts are not supported with null_context. + ++/\[()]{65535}()/expand ++Failed: error 197 at offset 131071: too many capturing groups (maximum 65535) ++ ++/\[()]{65535}(?)/expand ++Failed: error 197 at offset 131075: too many capturing groups (maximum 65535) ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data +diff --git a/testdata/testoutput9 b/testdata/testoutput9 +index f98f276..f66ca3d 100644 +--- a/testdata/testoutput9 ++++ b/testdata/testoutput9 +@@ -367,4 +367,7 @@ Failed: error 134 at offset 14: character code point value in \x{} or \o{} is to + /(*:*++++++++++++''''''''''''''''''''+''+++'+++x+++++++++++++++++++++++++++++++++++(++++++++++++++++++++:++++++%++:''''''''''''''''''''''''+++++++++++++++++++++++++++++++++++++++++++++++++++++-++++++++k+++++++''''+++'+++++++++++++++++++++++''''++++++++++++':Æ¿)/ + Failed: error 176 at offset 259: name is too long in (*MARK), (*PRUNE), (*SKIP), or (*THEN) + ++/\[()]{65535}/expand ++Failed: error 120 at offset 131070: regular expression is too large ++ + # End of testinput9 +-- +2.20.1 + diff --git a/pcre2.spec b/pcre2.spec index b615d1e..0c46ac5 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -9,7 +9,7 @@ #%%global rcversion RC1 Name: pcre2 Version: 10.33 -Release: %{?rcversion:0.}1%{?rcversion:.%rcversion}%{?dist} +Release: %{?rcversion:0.}2%{?rcversion:.%rcversion}%{?dist} %global myversion %{version}%{?rcversion:-%rcversion} Summary: Perl-compatible regular expression library # the library: BSD with exceptions @@ -49,6 +49,8 @@ URL: http://www.pcre.org/ Source: ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/%{?rcversion:Testing/}%{name}-%{myversion}.tar.bz2 # Do no set RPATH if libdir is not /usr/lib Patch0: pcre2-10.10-Fix-multilib.patch +# Validate number of capturing parentheses, in upstream after 10.33 +Patch1: pcre2-10.33-Implement-a-check-on-the-number-of-capturing-parenth.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -125,6 +127,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test. %prep %setup -q -n %{name}-%{myversion} %patch0 -p1 +%patch1 -p1 # Because of multilib patch libtoolize --copy --force autoreconf -vif @@ -223,6 +226,9 @@ make %{?_smp_mflags} check VERBOSE=yes %{_mandir}/man1/pcre2test.* %changelog +* Mon May 06 2019 Petr Pisar - 10.33-2 +- Validate number of capturing parentheses + * Tue Apr 16 2019 Petr Pisar - 10.33-1 - 10.33 bump