From 9c0409094995300df0913b0d4ed7b53de8efe983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= Date: Thu, 1 Nov 2018 11:48:49 +0100 Subject: [PATCH] Fix heap limit checking overflow in pcre2_dfa_match() --- ...hecking-overflow-bug-in-pcre2_dfa_ma.patch | 67 +++++++++++++++++++ pcre2.spec | 5 ++ 2 files changed, 72 insertions(+) create mode 100644 pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch diff --git a/pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch b/pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch new file mode 100644 index 0000000..cc3764a --- /dev/null +++ b/pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch @@ -0,0 +1,67 @@ +From 18ee5a9d3779f5e8ee3142326dd65ae75b22bb0b Mon Sep 17 00:00:00 2001 +From: ph10 +Date: Mon, 22 Oct 2018 16:47:55 +0000 +Subject: [PATCH] Fix heap limit checking overflow bug in pcre2_dfa_match(). +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1034 6239d852-aaf2-0410-a92c-79f79f948069 + +Petr Písař: Ported to 10.32. + +Signed-off-by: Petr Písař +--- + src/pcre2_dfa_match.c | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/src/pcre2_dfa_match.c b/src/pcre2_dfa_match.c +index 9b43237..818004d 100644 +--- a/src/pcre2_dfa_match.c ++++ b/src/pcre2_dfa_match.c +@@ -316,8 +316,8 @@ finding the minimum heap requirement for a match. */ + + typedef struct RWS_anchor { + struct RWS_anchor *next; +- unsigned int size; /* Number of ints */ +- unsigned int free; /* Number of ints */ ++ uint32_t size; /* Number of ints */ ++ uint32_t free; /* Number of ints */ + } RWS_anchor; + + #define RWS_ANCHOR_SIZE (sizeof(RWS_anchor)/sizeof(int)) +@@ -413,20 +413,24 @@ if (rws->next != NULL) + new = rws->next; + } + +-/* All sizes are in units of sizeof(int), except for mb->heaplimit, which is in +-kibibytes. */ ++/* Sizes in the RWS_anchor blocks are in units of sizeof(int), but ++mb->heap_limit and mb->heap_used are in kibibytes. Play carefully, to avoid ++overflow. */ + + else + { +- unsigned int newsize = rws->size * 2; +- unsigned int heapleft = (unsigned int) +- (((1024/sizeof(int))*mb->heap_limit - mb->heap_used)); +- if (newsize > heapleft) newsize = heapleft; ++ uint32_t newsize = (rws->size >= UINT32_MAX/2)? UINT32_MAX/2 : rws->size * 2; ++ uint32_t newsizeK = newsize/(1024/sizeof(int)); ++ ++ if (newsizeK + mb->heap_used > mb->heap_limit) ++ newsizeK = mb->heap_limit - mb->heap_used; ++ newsize = newsizeK*(1024/sizeof(int)); ++ + if (newsize < RWS_RSIZE + ovecsize + RWS_ANCHOR_SIZE) + return PCRE2_ERROR_HEAPLIMIT; + new = mb->memctl.malloc(newsize*sizeof(int), mb->memctl.memory_data); + if (new == NULL) return PCRE2_ERROR_NOMEMORY; +- mb->heap_used += newsize; ++ mb->heap_used += newsizeK; + new->next = NULL; + new->size = newsize; + rws->next = new; +-- +2.17.2 + diff --git a/pcre2.spec b/pcre2.spec index 90f436d..cd9860b 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -59,6 +59,9 @@ Patch2: pcre2-10.32-Fix-an-xclass-matching-issue-in-JIT.patch # Fix matching a zero-repeated subroutine call at a start of a pattern, # upstream bug #2332, in upstream after 10.32 Patch3: pcre2-10.32-Fix-zero-repeated-subroutine-call-at-start-of-patter.patch +# Fix heap limit checking overflow in pcre2_dfa_match(), upstream bug #2334, +# in upstream after 10.32 +Patch4: pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: coreutils @@ -138,6 +141,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Because of multilib patch libtoolize --copy --force autoreconf -vif @@ -242,6 +246,7 @@ make %{?_smp_mflags} check VERBOSE=yes * Thu Nov 01 2018 Petr Pisar - 10.32-4 - Fix matching a zero-repeated subroutine call at a start of a pattern (upstream bug #2332) +- Fix heap limit checking overflow in pcre2_dfa_match() (upstream bug #2334) * Mon Sep 24 2018 Petr Pisar - 10.32-3 - Fix caseless matching an extended class in JIT mode (upstream bug #2321)