Fix an early fail optimization with character ranges and a buffer overread in JIT

2020-07-15 09:45:34 +02:00 · 2020-07-15 09:45:34 +02:00 · a85bd9b307
commit a85bd9b307
parent 011f6e20f2
2 changed files with 120 additions and 0 deletions
--- a/pcre2-10.35-Fix-an-early-fail-optimization-issue-and-a-buffer-ov.patch
+++ b/pcre2-10.35-Fix-an-early-fail-optimization-issue-and-a-buffer-ov.patch
@ -0,0 +1,114 @@
+From 938cca6343300495c67461c08f4732f098a7ce30 Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>
+Date: Wed, 15 Jul 2020 04:35:32 +0000
+Subject: [PATCH] Fix an early fail optimization issue and a buffer overread in
+ JIT.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1267 6239d852-aaf2-0410-a92c-79f79f948069
+Petr Písař: Ported to 10.35.
+---
+ src/pcre2_jit_compile.c | 24 ++++++++++++------------
+ src/pcre2_jit_test.c    |  1 +
+
+diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
+index 7c5d63b..2bd4275 100644
+--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
+@@ -1466,9 +1466,9 @@ do
+         default:
+         accelerated_start = NULL;
+         fast_forward_allowed = FALSE;
+-        break;
+        continue;
+         }
+-      continue;
+      break;
+ 
+       case OP_ONCE:
+       case OP_BRA:
+@@ -1834,57 +1834,57 @@ while (cc < ccend)
+     case OP_BRAZERO:
+     case OP_BRAMINZERO:
+     case OP_BRAPOSZERO:
+-    repeat_check = FALSE;
+     size = 1;
+    repeat_check = FALSE;
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_1
+-    space = 1;
+     size = -2;
+    space = 1;
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2A
+-    space = 2;
+     size = -2;
+    space = 2;
+     break;
+ 
+     CASE_ITERATOR_PRIVATE_DATA_2B
+-    space = 2;
+     size = -(2 + IMM2_SIZE);
+    space = 2;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_1
+-    space = 1;
+     size = 1;
+    space = 1;
+     break;
+ 
+     CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+    size = 1;
+     if (cc[1] != OP_ANYNL && cc[1] != OP_EXTUNI)
+       space = 2;
+-    size = 1;
+     break;
+ 
+     case OP_TYPEUPTO:
+    size = 1 + IMM2_SIZE;
+     if (cc[1 + IMM2_SIZE] != OP_ANYNL && cc[1 + IMM2_SIZE] != OP_EXTUNI)
+       space = 2;
+-    size = 1 + IMM2_SIZE;
+     break;
+ 
+     case OP_TYPEMINUPTO:
+-    space = 2;
+     size = 1 + IMM2_SIZE;
+    space = 2;
+     break;
+ 
+     case OP_CLASS:
+     case OP_NCLASS:
+-    space = get_class_iterator_size(cc + size);
+     size = 1 + 32 / sizeof(PCRE2_UCHAR);
+    space = get_class_iterator_size(cc + size);
+     break;
+ 
+ #if defined SUPPORT_UNICODE || PCRE2_CODE_UNIT_WIDTH != 8
+     case OP_XCLASS:
+-    space = get_class_iterator_size(cc + size);
+     size = GET(cc, 1);
+    space = get_class_iterator_size(cc + size);
+     break;
+ #endif
+ 
+diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
+index 16dade7..b7856ad 100644
+--- a/src/pcre2_jit_test.c
+++ b/src/pcre2_jit_test.c
+@@ -350,6 +350,7 @@ static struct regression_test_case regression_test_cases[] = {
+ 	{ MU, A, 0, 0, ".[ab]*.", "xx" },
+ 	{ MU, A, 0, 0, ".[ab]*a", "xxa" },
+ 	{ MU, A, 0, 0, ".[ab]?.", "xx" },
+	{ MU, A, 0, 0, "_[ab]+_*a", "_aa" },
+ 
+ 	/* Bracket repeats with limit. */
+ 	{ MU, A, 0, 0, "(?:(ab){2}){5}M", "abababababababababababM" },
+-- 
+2.25.4
+
--- a/pcre2.spec
+++ b/pcre2.spec
@ -64,6 +64,9 @@ Patch3:     pcre2-10.35-Fix-inifinite-loop-when-a-single-byte-newline-is-sea.pat
 # a single-digit minor number at the end of a regular expression,
 # ClusterFuzz #23779, in upstream after 10.35
 Patch4:     pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch
+# Fix an early fail optimization with character ranges and a buffer overread
+# in JIT, upstream bug #2621, in upstream after 10.35
+Patch5:     pcre2-10.35-Fix-an-early-fail-optimization-issue-and-a-buffer-ov.patch
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  coreutils
@ -159,6 +162,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
 # Because of multilib patch
 libtoolize --copy --force
 autoreconf -vif
@ -276,6 +280,8 @@ make %{?_smp_mflags} check VERBOSE=yes
 - Fix a buffer overread when parsing an unterminated VERSION condition with
  a single-digit minor number at the end of a regular expression
  (ClusterFuzz #23779)
+- Fix an early fail optimization with character ranges and a buffer overread
+  in JIT (upstream bug #2621)

 * Tue Jun 02 2020 Petr Pisar <ppisar@redhat.com> - 10.35-3
 - Fix an infinite loop when a single-byte newline is search in JIT if an