Fix a recursion in compiling an expression with a lookbehind within a lookahead

pcre2-10.33-Fix-bug-in-recent-patch-for-lookbehinds-within-looka.patch

@@ -0,0 +1,114 @@
+From 007b635b6788f8317747842b02f9c85137277c20 Mon Sep 17 00:00:00 2001
+From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Thu, 18 Jul 2019 17:20:29 +0000
+Subject: [PATCH] Fix bug in recent patch for lookbehinds within lookaheads.
+ Fixes ClusterFuzz 15933.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1138 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.33.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ src/pcre2_compile.c  | 22 +++++++++++++---------
+ testdata/testinput2  |  3 +++
+ testdata/testoutput2 |  4 ++++
+ 3 files changed, 20 insertions(+), 9 deletions(-)
+
+diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
+index 2ae95ed..b68c154 100644
+--- a/src/pcre2_compile.c
++++ b/src/pcre2_compile.c
+@@ -136,7 +136,8 @@ static BOOL
+     compile_block *);
+ 
+ static int
+-  check_lookbehinds(uint32_t *, uint32_t **, compile_block *);
++  check_lookbehinds(uint32_t *, uint32_t **, parsed_recurse_check *,
++    compile_block *);
+ 
+ 
+ /*************************************************
+@@ -9004,7 +9005,7 @@ for (;; pptr++)
+ 
+     case META_LOOKAHEAD:
+     case META_LOOKAHEADNOT:
+-    *errcodeptr = check_lookbehinds(pptr + 1, &pptr, cb);
++    *errcodeptr = check_lookbehinds(pptr + 1, &pptr, recurses, cb);
+     if (*errcodeptr != 0) return -1;
+ 
+     /* Ignore any qualifiers that follow a lookahead assertion. */
+@@ -9326,15 +9327,17 @@ order to process any lookbehinds that they may contain. It stops when it hits a
+ non-nested closing parenthesis in this case, returning a pointer to it.
+ 
+ Arguments
+-  pptr    points to where to start (start of pattern or start of lookahead)
+-  retptr  if not NULL, return the ket pointer here
+-  cb      points to the compile block
++  pptr      points to where to start (start of pattern or start of lookahead)
++  retptr    if not NULL, return the ket pointer here
++  recurses  chain of recurse_check to catch mutual recursion 
++  cb        points to the compile block
+ 
+-Returns:  0 on success, or an errorcode (cb->erroroffset will be set)
++Returns:    0 on success, or an errorcode (cb->erroroffset will be set)
+ */
+ 
+ static int
+-check_lookbehinds(uint32_t *pptr, uint32_t **retptr, compile_block *cb)
++check_lookbehinds(uint32_t *pptr, uint32_t **retptr, 
++  parsed_recurse_check *recurses, compile_block *cb)
+ {
+ int errorcode = 0;
+ int loopcount = 0;
+@@ -9449,7 +9452,8 @@ for (; *pptr != META_END; pptr++)
+ 
+     case META_LOOKBEHIND:
+     case META_LOOKBEHINDNOT:
+-    if (!set_lookbehind_lengths(&pptr, &errorcode, &loopcount, NULL, cb))
++    if (!set_lookbehind_lengths(&pptr, &errorcode, &loopcount,
++         recurses, cb))
+       return errorcode;
+     break;
+     }
+@@ -9899,7 +9903,7 @@ lengths. */
+ 
+ if (has_lookbehind)
+   {
+-  errorcode = check_lookbehinds(cb.parsed_pattern, NULL, &cb);
++  errorcode = check_lookbehinds(cb.parsed_pattern, NULL, NULL, &cb);
+   if (errorcode != 0) goto HAD_CB_ERROR;
+   }
+ 
+diff --git a/testdata/testinput2 b/testdata/testinput2
+index d85fc5f..1bfe591 100644
+--- a/testdata/testinput2
++++ b/testdata/testinput2
+@@ -5600,4 +5600,7 @@ a)"xI
+ /(?<=(?=.(?<=x)))/
+     ab\=ph
+ 
++# Expect error (recursion => not fixed length)
++/(\2)((?=(?<=\1)))/
++
+ # End of testinput2
+diff --git a/testdata/testoutput2 b/testdata/testoutput2
+index 6405e26..758b4db 100644
+--- a/testdata/testoutput2
++++ b/testdata/testoutput2
+@@ -16952,6 +16952,10 @@ Failed: error 187 at offset 10: lookbehind assertion is too long
+     ab\=ph
+ No match
+ 
++# Expect error (recursion => not fixed length)
++/(\2)((?=(?<=\1)))/
++Failed: error 125 at offset 8: lookbehind assertion is not fixed length
++
+ # End of testinput2
+ Error -70: PCRE2_ERROR_BADDATA (unknown error number)
+ Error -62: bad serialized data
+-- 
+2.20.1
+

pcre2.spec

@@ -9,7 +9,7 @@
 #%%global rcversion RC1
 Name:       pcre2
 Version:    10.33
-Release:    %{?rcversion:0.}8%{?rcversion:.%rcversion}%{?dist}
+Release:    %{?rcversion:0.}9%{?rcversion:.%rcversion}%{?dist}
 %global     myversion %{version}%{?rcversion:-%rcversion}
 Summary:    Perl-compatible regular expression library
 # the library:                          BSD with exceptions
@@ -77,9 +77,12 @@ Patch9:     pcre2-10.33-Check-for-integer-overflow-when-computing-lookbehind.pat
 # 2/2 Fix an integer overflow when checking a lookbehind length,
 # in upstream after 10.33
 Patch10:    pcre2-10.33-Additional-overflow-test.patch
-# Fix a mismatch with a lookbehind within a lookahead within a lookbehind,
+# 1/2 Fix a mismatch with a lookbehind within a lookahead within a lookbehind,
 # upstream bug #2412, in upstream after 10.33
 Patch11:    pcre2-10.33-Fix-lookbehind-within-lookahead-within-lookbehind-mi.patch
+# 2/2 Fix a mismatch with a lookbehind within a lookahead within a lookbehind,
+# upstream bug #2412, in upstream after 10.33
+Patch12:    pcre2-10.33-Fix-bug-in-recent-patch-for-lookbehinds-within-looka.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@@ -167,6 +170,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@@ -265,6 +269,10 @@ make %{?_smp_mflags} check VERBOSE=yes
 %{_mandir}/man1/pcre2test.*
 
 %changelog
+* Mon Jul 22 2019 Petr Pisar <ppisar@redhat.com> - 10.33-9
+- Fix a recursion in compiling an expression with a lookbehind within a
+  lookahead (upstream bug #2412)
+
 * Wed Jul 17 2019 Petr Pisar <ppisar@redhat.com> - 10.33-8
 - Fix a mismatch with a lookbehind within a lookahead within a lookbehind
   (upstream bug #2412)