diff --git a/backport-guard-against-out-of-bounds-memory-access-when-parsi.patch b/backport-guard-against-out-of-bounds-memory-access-when-parsi.patch new file mode 100644 index 0000000000000000000000000000000000000000..30b728ca858b2b5c5c38bd666b9f952e2b705c43 --- /dev/null +++ b/backport-guard-against-out-of-bounds-memory-access-when-parsi.patch @@ -0,0 +1,81 @@ +From ef218fbba60bfe5b0a8ac9ea4445eac5fb0847e5 Mon Sep 17 00:00:00 2001 +From: Alex Dowad +Date: Sat, 7 Sep 2024 00:16:03 +0900 +Subject: [PATCH 288/363] Guard against out-of-bounds memory access when + parsing LIMIT_HEAP et al (#463) + +Patterns passed to pcre2_compile are not guaranteed to be +null-terminated. Also, it can happen that there is an invalid +pattern like this: + + (*LIMIT_HEAP=123 + +If the next byte of memory after the end of the pattern happens +to be a digit, it will be parsed as part of the limit value. Or, +if the next byte is a right parenthesis character, it will be taken +as the end of the (*LIMIT_HEAP=nnn) construct. + +This will result in `skipatstart` being larger than `patlen`, which +will result in underflow and an erroneous call to malloc requesting +a huge number of bytes. +--- + src/pcre2_compile.c | 7 ++++--- + testdata/testoutput15 | 4 ++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c +index 235c171..22e005b 100644 +--- a/src/pcre2_compile.c ++++ b/src/pcre2_compile.c +@@ -10147,12 +10147,12 @@ if ((options & PCRE2_LITERAL) == 0) + ptr += pp; + goto HAD_EARLY_ERROR; + } +- while (IS_DIGIT(ptr[pp])) ++ while (pp < patlen && IS_DIGIT(ptr[pp])) + { + if (c > UINT32_MAX / 10 - 1) break; /* Integer overflow */ + c = c*10 + (ptr[pp++] - CHAR_0); + } +- if (ptr[pp++] != CHAR_RIGHT_PARENTHESIS) ++ if (pp >= patlen || ptr[pp] != CHAR_RIGHT_PARENTHESIS) + { + errorcode = ERR60; + ptr += pp; +@@ -10161,7 +10161,7 @@ if ((options & PCRE2_LITERAL) == 0) + if (p->type == PSO_LIMH) limit_heap = c; + else if (p->type == PSO_LIMM) limit_match = c; + else limit_depth = c; +- skipatstart += pp - skipatstart; ++ skipatstart = ++pp; + break; + } + break; /* Out of the table scan loop */ +@@ -10169,6 +10169,7 @@ if ((options & PCRE2_LITERAL) == 0) + } + if (i >= sizeof(pso_list)/sizeof(pso)) break; /* Out of pso loop */ + } ++ PCRE2_ASSERT(skipatstart <= patlen); + } + + /* End of pattern-start options; advance to start of real regex. */ +diff --git a/testdata/testoutput15 b/testdata/testoutput15 +index af0d7c2..da855d3 100644 +--- a/testdata/testoutput15 ++++ b/testdata/testoutput15 +@@ -105,10 +105,10 @@ Minimum depth limit = 10 + 3: ee + + /(*LIMIT_MATCH=12bc)abc/ +-Failed: error 160 at offset 17: (*VERB) not recognized or malformed ++Failed: error 160 at offset 16: (*VERB) not recognized or malformed + + /(*LIMIT_MATCH=4294967290)abc/ +-Failed: error 160 at offset 24: (*VERB) not recognized or malformed ++Failed: error 160 at offset 23: (*VERB) not recognized or malformed + + /(*LIMIT_DEPTH=4294967280)abc/I + Capture group count = 0 +-- +2.33.0 + diff --git a/pcre2.spec b/pcre2.spec index 1dee8d63a29c6269eec37e85a6ae9cccbceadbf6..86b06b549c6e24e58ac6eac47f1256b8f0bfe645 100644 --- a/pcre2.spec +++ b/pcre2.spec @@ -1,6 +1,6 @@ Name: pcre2 Version: 10.42 -Release: 10 +Release: 11 Summary: Perl Compatible Regular Expressions License: BSD URL: http://www.pcre.org/ @@ -33,6 +33,7 @@ Patch6021: backport-pcre2grep-document-better-possible-multiline-matchin.pat Patch6022: backport-Remove-incorrect-optimization-in-DFA-matching-when-p.patch Patch6023: backport-Implement-PCRE2_EXTRA_CASELESS_RESTRICT-and-related-.patch Patch6024: backport-Additional-PCRE2_EXTRA_ASCII_xxx-code.patch +Patch6025: backport-guard-against-out-of-bounds-memory-access-when-parsi.patch BuildRequires: autoconf libtool automake coreutils gcc make readline-devel Obsoletes: pcre2-utf16 pcre2-utf32 pcre2-tools @@ -150,6 +151,9 @@ make check %{_pkgdocdir}/html/ %changelog +* Fri Nov 01 2024 xiaozai - 10.42-11 +- DESC:Guard against out-of-bounds memory access when parsing LIMIT_HEAP et al + * Thu Oct 31 2024 xujing - 10.42-10 - DESC:sync patches to fix grep testcase failed