rpms/pcre2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix heap limit checking overflow in pcre2_dfa_match()

Browse Source
This commit is contained in:
Petr Písař 2018-11-01 11:48:49 +01:00
parent 3760442647
commit 9c04090949
2 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch Normal file
View File

@ -0,0 +1,67 @@
From 18ee5a9d3779f5e8ee3142326dd65ae75b22bb0b Mon Sep 17 00:00:00 2001
From: ph10 <ph10@6239d852-aaf2-0410-a92c-79f79f948069>
Date: Mon, 22 Oct 2018 16:47:55 +0000
Subject: [PATCH] Fix heap limit checking overflow bug in pcre2_dfa_match().
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1034 6239d852-aaf2-0410-a92c-79f79f948069
Petr Písař: Ported to 10.32.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
src/pcre2_dfa_match.c | 22 +++++++++++++---------
1 file changed, 13 insertions(+), 9 deletions(-)
diff --git a/src/pcre2_dfa_match.c b/src/pcre2_dfa_match.c
index 9b43237..818004d 100644
--- a/src/pcre2_dfa_match.c
+++ b/src/pcre2_dfa_match.c
@@ -316,8 +316,8 @@ finding the minimum heap requirement for a match. */
typedef struct RWS_anchor {
struct RWS_anchor *next;
- unsigned int size; /* Number of ints */
- unsigned int free; /* Number of ints */
+ uint32_t size; /* Number of ints */
+ uint32_t free; /* Number of ints */
} RWS_anchor;
#define RWS_ANCHOR_SIZE (sizeof(RWS_anchor)/sizeof(int))
@@ -413,20 +413,24 @@ if (rws->next != NULL)
new = rws->next;
}
-/* All sizes are in units of sizeof(int), except for mb->heaplimit, which is in
-kibibytes. */
+/* Sizes in the RWS_anchor blocks are in units of sizeof(int), but
+mb->heap_limit and mb->heap_used are in kibibytes. Play carefully, to avoid
+overflow. */
else
{
- unsigned int newsize = rws->size * 2;
- unsigned int heapleft = (unsigned int)
- (((1024/sizeof(int))*mb->heap_limit - mb->heap_used));
- if (newsize > heapleft) newsize = heapleft;
+ uint32_t newsize = (rws->size >= UINT32_MAX/2)? UINT32_MAX/2 : rws->size * 2;
+ uint32_t newsizeK = newsize/(1024/sizeof(int));
+
+ if (newsizeK + mb->heap_used > mb->heap_limit)
+ newsizeK = mb->heap_limit - mb->heap_used;
+ newsize = newsizeK*(1024/sizeof(int));
+
if (newsize < RWS_RSIZE + ovecsize + RWS_ANCHOR_SIZE)
return PCRE2_ERROR_HEAPLIMIT;
new = mb->memctl.malloc(newsize*sizeof(int), mb->memctl.memory_data);
if (new == NULL) return PCRE2_ERROR_NOMEMORY;
- mb->heap_used += newsize;
+ mb->heap_used += newsizeK;
new->next = NULL;
new->size = newsize;
rws->next = new;
--
2.17.2

5
pcre2.spec
View File

@ -59,6 +59,9 @@ Patch2: pcre2-10.32-Fix-an-xclass-matching-issue-in-JIT.patch
# Fix matching a zero-repeated subroutine call at a start of a pattern,
# upstream bug #2332, in upstream after 10.32
Patch3: pcre2-10.32-Fix-zero-repeated-subroutine-call-at-start-of-patter.patch
# Fix heap limit checking overflow in pcre2_dfa_match(), upstream bug #2334,
# in upstream after 10.32
Patch4: pcre2-10.32-Fix-heap-limit-checking-overflow-bug-in-pcre2_dfa_ma.patch
BuildRequires: autoconf
BuildRequires: automake
BuildRequires: coreutils
@ -138,6 +141,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
# Because of multilib patch
libtoolize --copy --force
autoreconf -vif
@ -242,6 +246,7 @@ make %{?_smp_mflags} check VERBOSE=yes
* Thu Nov 01 2018 Petr Pisar <ppisar@redhat.com> - 10.32-4
- Fix matching a zero-repeated subroutine call at a start of a pattern
(upstream bug #2332)
- Fix heap limit checking overflow in pcre2_dfa_match() (upstream bug #2334)
* Mon Sep 24 2018 Petr Pisar <ppisar@redhat.com> - 10.32-3
- Fix caseless matching an extended class in JIT mode (upstream bug #2321)