rpms/pcre2
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix an early fail optimization with character ranges and a buffer overread in JIT

Browse Source
This commit is contained in:
Petr Písař 2020-07-15 09:45:34 +02:00
parent 011f6e20f2
commit a85bd9b307
2 changed files with 120 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

114
pcre2-10.35-Fix-an-early-fail-optimization-issue-and-a-buffer-ov.patch Normal file
View File

@ -0,0 +1,114 @@
From 938cca6343300495c67461c08f4732f098a7ce30 Mon Sep 17 00:00:00 2001
From: zherczeg <zherczeg@6239d852-aaf2-0410-a92c-79f79f948069>
Date: Wed, 15 Jul 2020 04:35:32 +0000
Subject: [PATCH] Fix an early fail optimization issue and a buffer overread in
JIT.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1267 6239d852-aaf2-0410-a92c-79f79f948069
Petr Písař: Ported to 10.35.
---
src/pcre2_jit_compile.c | 24 ++++++++++++------------
src/pcre2_jit_test.c | 1 +
diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
index 7c5d63b..2bd4275 100644
--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
@@ -1466,9 +1466,9 @@ do
default:
accelerated_start = NULL;
fast_forward_allowed = FALSE;
- break;
+ continue;
}
- continue;
+ break;
case OP_ONCE:
case OP_BRA:
@@ -1834,57 +1834,57 @@ while (cc < ccend)
case OP_BRAZERO:
case OP_BRAMINZERO:
case OP_BRAPOSZERO:
- repeat_check = FALSE;
size = 1;
+ repeat_check = FALSE;
break;
CASE_ITERATOR_PRIVATE_DATA_1
- space = 1;
size = -2;
+ space = 1;
break;
CASE_ITERATOR_PRIVATE_DATA_2A
- space = 2;
size = -2;
+ space = 2;
break;
CASE_ITERATOR_PRIVATE_DATA_2B
- space = 2;
size = -(2 + IMM2_SIZE);
+ space = 2;
break;
CASE_ITERATOR_TYPE_PRIVATE_DATA_1
- space = 1;
size = 1;
+ space = 1;
break;
CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
+ size = 1;
if (cc[1] != OP_ANYNL && cc[1] != OP_EXTUNI)
space = 2;
- size = 1;
break;
case OP_TYPEUPTO:
+ size = 1 + IMM2_SIZE;
if (cc[1 + IMM2_SIZE] != OP_ANYNL && cc[1 + IMM2_SIZE] != OP_EXTUNI)
space = 2;
- size = 1 + IMM2_SIZE;
break;
case OP_TYPEMINUPTO:
- space = 2;
size = 1 + IMM2_SIZE;
+ space = 2;
break;
case OP_CLASS:
case OP_NCLASS:
- space = get_class_iterator_size(cc + size);
size = 1 + 32 / sizeof(PCRE2_UCHAR);
+ space = get_class_iterator_size(cc + size);
break;
#if defined SUPPORT_UNICODE || PCRE2_CODE_UNIT_WIDTH != 8
case OP_XCLASS:
- space = get_class_iterator_size(cc + size);
size = GET(cc, 1);
+ space = get_class_iterator_size(cc + size);
break;
#endif
diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
index 16dade7..b7856ad 100644
--- a/src/pcre2_jit_test.c
+++ b/src/pcre2_jit_test.c
@@ -350,6 +350,7 @@ static struct regression_test_case regression_test_cases[] = {
{ MU, A, 0, 0, ".[ab]*.", "xx" },
{ MU, A, 0, 0, ".[ab]*a", "xxa" },
{ MU, A, 0, 0, ".[ab]?.", "xx" },
+ { MU, A, 0, 0, "_[ab]+_*a", "_aa" },
/* Bracket repeats with limit. */
{ MU, A, 0, 0, "(?:(ab){2}){5}M", "abababababababababababM" },
--
2.25.4

6
pcre2.spec
View File

@ -64,6 +64,9 @@ Patch3: pcre2-10.35-Fix-inifinite-loop-when-a-single-byte-newline-is-sea.pat
# a single-digit minor number at the end of a regular expression, # a single-digit minor number at the end of a regular expression,
# ClusterFuzz #23779, in upstream after 10.35 # ClusterFuzz #23779, in upstream after 10.35
Patch4: pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch Patch4: pcre2-10.35-Fix-read-overflow-for-invalid-VERSION-test-with-one-.patch
# Fix an early fail optimization with character ranges and a buffer overread
# in JIT, upstream bug #2621, in upstream after 10.35
Patch5: pcre2-10.35-Fix-an-early-fail-optimization-issue-and-a-buffer-ov.patch
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
BuildRequires: coreutils BuildRequires: coreutils
@ -159,6 +162,7 @@ Utilities demonstrating PCRE2 capabilities like pcre2grep or pcre2test.
%patch2 -p1 %patch2 -p1
%patch3 -p1 %patch3 -p1
%patch4 -p1 %patch4 -p1
%patch5 -p1
# Because of multilib patch # Because of multilib patch
libtoolize --copy --force libtoolize --copy --force
autoreconf -vif autoreconf -vif
@ -276,6 +280,8 @@ make %{?_smp_mflags} check VERBOSE=yes
- Fix a buffer overread when parsing an unterminated VERSION condition with - Fix a buffer overread when parsing an unterminated VERSION condition with
a single-digit minor number at the end of a regular expression a single-digit minor number at the end of a regular expression
(ClusterFuzz #23779) (ClusterFuzz #23779)
- Fix an early fail optimization with character ranges and a buffer overread
in JIT (upstream bug #2621)
* Tue Jun 02 2020 Petr Pisar <ppisar@redhat.com> - 10.35-3 * Tue Jun 02 2020 Petr Pisar <ppisar@redhat.com> - 10.35-3
- Fix an infinite loop when a single-byte newline is search in JIT if an - Fix an infinite loop when a single-byte newline is search in JIT if an