packages/oniguruma
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!4 fix CVE-2019-19012

Browse Source 
From: @wangxiao65
Reviewed-by: @zhanghua1831,@small_leek
Signed-off-by: @small_leek
This commit is contained in:
openeuler-ci-bot 2021-01-05 14:59:00 +08:00 committed by Gitee
commit 0e0973a106
2 changed files with 232 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

227
CVE-2019-19012.patch Normal file
View File

@ -0,0 +1,227 @@
Origin: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719
Origin: https://github.com/kkos/oniguruma/commit/db64ef3189f54917a5008a02bdb000adc514a90a
Origin: https://github.com/kkos/oniguruma/commit/bfc36d3d8139b8be4d3df630d625c58687b0c7d4
Origin: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f
Origin: https://github.com/kkos/oniguruma/commit/b6cb7580a7e0c56fc325fe9370b9d34044910aed
Author: K.Kosako <kosako@sofnec.co.jp>
Reviewed-by: Sylvain Beucler <beuc@debian.org>
Last-Update: 2019-11-22
fix #164: Integer overflow related to reg->dmax in search_in_range()
Index: src/regexec.c
===================================================================
--- a/src/regexec.c
+++ b/src/regexec.c
@@ -27,6 +27,7 @@
* SUCH DAMAGE.
*/
#include "regint.h"
+#include <stddef.h>
#define IS_MBC_WORD_ASCII_MODE(enc,s,end,mode) \
((mode) == 0 ? ONIGENC_IS_MBC_WORD(enc,s,end) : ONIGENC_IS_MBC_WORD_ASCII(enc,s,end))
@@ -4367,14 +4368,14 @@ forward_search_range(regex_t* reg, const
#endif
p = s;
- if (reg->dmin > 0) {
+ if (reg->dmin != 0) {
+ if (end - p <= reg->dmin)
+ return 0; /* fail */
if (ONIGENC_IS_SINGLEBYTE(reg->enc)) {
p += reg->dmin;
}
else {
UChar *q = p + reg->dmin;
-
- if (q >= end) return 0; /* fail */
while (p < q) p += enclen(reg->enc, p);
}
}
@@ -4403,7 +4404,7 @@ forward_search_range(regex_t* reg, const
}
if (p && p < range) {
- if (p - reg->dmin < s) {
+ if (p - s < reg->dmin) {
retry_gate:
pprev = p;
p += enclen(reg->enc, p);
@@ -4451,6 +4452,7 @@ forward_search_range(regex_t* reg, const
*low_prev = onigenc_get_prev_char_head(reg->enc,
(pprev ? pprev : str), p);
}
+ *high = p;
}
else {
if (reg->dmax != INFINITE_LEN) {
@@ -4475,9 +4477,12 @@ forward_search_range(regex_t* reg, const
}
}
}
+ /* no needs to adjust *high, *high is used as range check only */
+ if (p - str < reg->dmin)
+ *high = (UChar* )str;
+ else
+ *high = p - reg->dmin;
}
- /* no needs to adjust *high, *high is used as range check only */
- *high = p - reg->dmin;
#ifdef ONIG_DEBUG_SEARCH
fprintf(stderr,
@@ -4500,7 +4505,6 @@ backward_search_range(regex_t* reg, cons
{
UChar *p;
- range += reg->dmin;
p = s;
retry:
@@ -4581,10 +4585,22 @@ backward_search_range(regex_t* reg, cons
}
}
- /* no needs to adjust *high, *high is used as range check only */
if (reg->dmax != INFINITE_LEN) {
- *low = p - reg->dmax;
- *high = p - reg->dmin;
+ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmax)
+ *low = (UChar* )str;
+ else
+ *low = p - reg->dmax;
+
+ if (reg->dmin != 0) {
+ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmin)
+ *high = (UChar* )str;
+ else
+ *high = p - reg->dmin;
+ }
+ else {
+ *high = p;
+ }
+
*high = onigenc_get_right_adjust_char_head(reg->enc, adjrange, *high);
}
@@ -4714,13 +4730,16 @@ onig_search_with_param(regex_t* reg, con
goto mismatch_no_msa;
if (range > start) {
- if ((OnigLen )(min_semi_end - start) > reg->anchor_dmax) {
+ if (min_semi_end - start > reg->anchor_dmax) {
start = min_semi_end - reg->anchor_dmax;
if (start < end)
start = onigenc_get_right_adjust_char_head(reg->enc, str, start);
}
- if ((OnigLen )(max_semi_end - (range - 1)) < reg->anchor_dmin) {
- range = max_semi_end - reg->anchor_dmin + 1;
+ if (max_semi_end - (range - 1) < reg->anchor_dmin) {
+ if (max_semi_end - str + 1 < reg->anchor_dmin)
+ goto mismatch_no_msa;
+ else
+ range = max_semi_end - reg->anchor_dmin + 1;
}
if (start > range) goto mismatch_no_msa;
@@ -4728,13 +4747,18 @@ onig_search_with_param(regex_t* reg, con
Backward search is used. */
}
else {
- if ((OnigLen )(min_semi_end - range) > reg->anchor_dmax) {
+ if (min_semi_end - range > reg->anchor_dmax) {
range = min_semi_end - reg->anchor_dmax;
}
- if ((OnigLen )(max_semi_end - start) < reg->anchor_dmin) {
- start = max_semi_end - reg->anchor_dmin;
- start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start);
+ if (max_semi_end - start < reg->anchor_dmin) {
+ if (max_semi_end - str < reg->anchor_dmin)
+ goto mismatch_no_msa;
+ else {
+ start = max_semi_end - reg->anchor_dmin;
+ start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start);
+ }
}
+
if (range > start) goto mismatch_no_msa;
}
}
@@ -4801,15 +4825,19 @@ onig_search_with_param(regex_t* reg, con
if (reg->optimize != OPTIMIZE_NONE) {
UChar *sch_range, *low, *high, *low_prev;
- sch_range = (UChar* )range;
if (reg->dmax != 0) {
if (reg->dmax == INFINITE_LEN)
sch_range = (UChar* )end;
else {
- sch_range += reg->dmax;
- if (sch_range > end) sch_range = (UChar* )end;
- }
+ if ((end - range) < reg->dmax)
+ sch_range = (UChar* )end;
+ else {
+ sch_range = (UChar* )range + reg->dmax;
+ }
+ }
}
+ else
+ sch_range = (UChar* )range;
if ((end - start) < reg->threshold_len)
goto mismatch;
@@ -4868,18 +4896,28 @@ onig_search_with_param(regex_t* reg, con
if (reg->optimize != OPTIMIZE_NONE) {
UChar *low, *high, *adjrange, *sch_start;
+ const UChar *min_range;
if (range < end)
adjrange = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, range);
else
adjrange = (UChar* )end;
+ if (end - range > reg->dmin)
+ min_range = range + reg->dmin;
+ else
+ min_range = end;
+
if (reg->dmax != INFINITE_LEN &&
(end - range) >= reg->threshold_len) {
do {
- sch_start = s + reg->dmax;
- if (sch_start > end) sch_start = (UChar* )end;
- if (backward_search_range(reg, str, end, sch_start, range, adjrange,
+ if (end - s > reg->dmax)
+ sch_start = s + reg->dmax;
+ else {
+ sch_start = (UChar* )end;
+ }
+
+ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange,
&low, &high) <= 0)
goto mismatch;
@@ -4897,19 +4935,7 @@ onig_search_with_param(regex_t* reg, con
else { /* check only. */
if ((end - range) < reg->threshold_len) goto mismatch;
- sch_start = s;
- if (reg->dmax != 0) {
- if (reg->dmax == INFINITE_LEN)
- sch_start = (UChar* )end;
- else {
- sch_start += reg->dmax;
- if (sch_start > end) sch_start = (UChar* )end;
- else
- sch_start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc,
- start, sch_start);
- }
- }
- if (backward_search_range(reg, str, end, sch_start, range, adjrange,
+ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange,
&low, &high) <= 0) goto mismatch;
}
}

6
oniguruma.spec
View File

@ -1,6 +1,6 @@
Name: oniguruma
Version: 6.9.0
Release: 2
Release: 3
Summary: Regular expressions library
License: BSD
URL: https://github.com/kkos/oniguruma/
@ -15,6 +15,7 @@ Patch0004: CVE-2019-16163.patch
Patch0005: CVE-2019-19203.patch
Patch0006: CVE-2019-19204.patch
Patch0007: CVE-2019-19246.patch
Patch0008: CVE-2019-19012.patch
%description
Oniguruma is a regular expressions library.
@ -70,6 +71,9 @@ make check
%doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE
%changelog
* Mon Jan 04 2020 wangxiao <wangxiao65@huawei.com> - 6.9.0-3
- fix CVE-2019-19012
* Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-2
- Add CVE patches