From 94b40df318e327ebdae14798db0d201b32ab28ba Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Mon, 4 Jan 2021 16:37:28 +0800 Subject: [PATCH] fix CVE-2019-19012 --- CVE-2019-19012.patch | 227 +++++++++++++++++++++++++++++++++++++++++++ oniguruma.spec | 6 +- 2 files changed, 232 insertions(+), 1 deletion(-) create mode 100644 CVE-2019-19012.patch diff --git a/CVE-2019-19012.patch b/CVE-2019-19012.patch new file mode 100644 index 0000000..b1bef02 --- /dev/null +++ b/CVE-2019-19012.patch @@ -0,0 +1,227 @@ +Origin: https://github.com/kkos/oniguruma/commit/0463e21432515631a9bc925ce5eb95b097c73719 +Origin: https://github.com/kkos/oniguruma/commit/db64ef3189f54917a5008a02bdb000adc514a90a +Origin: https://github.com/kkos/oniguruma/commit/bfc36d3d8139b8be4d3df630d625c58687b0c7d4 +Origin: https://github.com/kkos/oniguruma/commit/778a43dd56925ed58bbe26e3a7bb8202d72c3f3f +Origin: https://github.com/kkos/oniguruma/commit/b6cb7580a7e0c56fc325fe9370b9d34044910aed +Author: K.Kosako +Reviewed-by: Sylvain Beucler +Last-Update: 2019-11-22 + +fix #164: Integer overflow related to reg->dmax in search_in_range() + +Index: src/regexec.c +=================================================================== +--- a/src/regexec.c ++++ b/src/regexec.c +@@ -27,6 +27,7 @@ + * SUCH DAMAGE. + */ + #include "regint.h" ++#include + + #define IS_MBC_WORD_ASCII_MODE(enc,s,end,mode) \ + ((mode) == 0 ? ONIGENC_IS_MBC_WORD(enc,s,end) : ONIGENC_IS_MBC_WORD_ASCII(enc,s,end)) +@@ -4367,14 +4368,14 @@ forward_search_range(regex_t* reg, const + #endif + + p = s; +- if (reg->dmin > 0) { ++ if (reg->dmin != 0) { ++ if (end - p <= reg->dmin) ++ return 0; /* fail */ + if (ONIGENC_IS_SINGLEBYTE(reg->enc)) { + p += reg->dmin; + } + else { + UChar *q = p + reg->dmin; +- +- if (q >= end) return 0; /* fail */ + while (p < q) p += enclen(reg->enc, p); + } + } +@@ -4403,7 +4404,7 @@ forward_search_range(regex_t* reg, const + } + + if (p && p < range) { +- if (p - reg->dmin < s) { ++ if (p - s < reg->dmin) { + retry_gate: + pprev = p; + p += enclen(reg->enc, p); +@@ -4451,6 +4452,7 @@ forward_search_range(regex_t* reg, const + *low_prev = onigenc_get_prev_char_head(reg->enc, + (pprev ? pprev : str), p); + } ++ *high = p; + } + else { + if (reg->dmax != INFINITE_LEN) { +@@ -4475,9 +4477,12 @@ forward_search_range(regex_t* reg, const + } + } + } ++ /* no needs to adjust *high, *high is used as range check only */ ++ if (p - str < reg->dmin) ++ *high = (UChar* )str; ++ else ++ *high = p - reg->dmin; + } +- /* no needs to adjust *high, *high is used as range check only */ +- *high = p - reg->dmin; + + #ifdef ONIG_DEBUG_SEARCH + fprintf(stderr, +@@ -4500,7 +4505,6 @@ backward_search_range(regex_t* reg, cons + { + UChar *p; + +- range += reg->dmin; + p = s; + + retry: +@@ -4581,10 +4585,22 @@ backward_search_range(regex_t* reg, cons + } + } + +- /* no needs to adjust *high, *high is used as range check only */ + if (reg->dmax != INFINITE_LEN) { +- *low = p - reg->dmax; +- *high = p - reg->dmin; ++ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmax) ++ *low = (UChar* )str; ++ else ++ *low = p - reg->dmax; ++ ++ if (reg->dmin != 0) { ++ if ((ptrdiff_t )(p - str) < (ptrdiff_t )reg->dmin) ++ *high = (UChar* )str; ++ else ++ *high = p - reg->dmin; ++ } ++ else { ++ *high = p; ++ } ++ + *high = onigenc_get_right_adjust_char_head(reg->enc, adjrange, *high); + } + +@@ -4714,13 +4730,16 @@ onig_search_with_param(regex_t* reg, con + goto mismatch_no_msa; + + if (range > start) { +- if ((OnigLen )(min_semi_end - start) > reg->anchor_dmax) { ++ if (min_semi_end - start > reg->anchor_dmax) { + start = min_semi_end - reg->anchor_dmax; + if (start < end) + start = onigenc_get_right_adjust_char_head(reg->enc, str, start); + } +- if ((OnigLen )(max_semi_end - (range - 1)) < reg->anchor_dmin) { +- range = max_semi_end - reg->anchor_dmin + 1; ++ if (max_semi_end - (range - 1) < reg->anchor_dmin) { ++ if (max_semi_end - str + 1 < reg->anchor_dmin) ++ goto mismatch_no_msa; ++ else ++ range = max_semi_end - reg->anchor_dmin + 1; + } + + if (start > range) goto mismatch_no_msa; +@@ -4728,13 +4747,18 @@ onig_search_with_param(regex_t* reg, con + Backward search is used. */ + } + else { +- if ((OnigLen )(min_semi_end - range) > reg->anchor_dmax) { ++ if (min_semi_end - range > reg->anchor_dmax) { + range = min_semi_end - reg->anchor_dmax; + } +- if ((OnigLen )(max_semi_end - start) < reg->anchor_dmin) { +- start = max_semi_end - reg->anchor_dmin; +- start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); ++ if (max_semi_end - start < reg->anchor_dmin) { ++ if (max_semi_end - str < reg->anchor_dmin) ++ goto mismatch_no_msa; ++ else { ++ start = max_semi_end - reg->anchor_dmin; ++ start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, start); ++ } + } ++ + if (range > start) goto mismatch_no_msa; + } + } +@@ -4801,15 +4825,19 @@ onig_search_with_param(regex_t* reg, con + if (reg->optimize != OPTIMIZE_NONE) { + UChar *sch_range, *low, *high, *low_prev; + +- sch_range = (UChar* )range; + if (reg->dmax != 0) { + if (reg->dmax == INFINITE_LEN) + sch_range = (UChar* )end; + else { +- sch_range += reg->dmax; +- if (sch_range > end) sch_range = (UChar* )end; +- } ++ if ((end - range) < reg->dmax) ++ sch_range = (UChar* )end; ++ else { ++ sch_range = (UChar* )range + reg->dmax; ++ } ++ } + } ++ else ++ sch_range = (UChar* )range; + + if ((end - start) < reg->threshold_len) + goto mismatch; +@@ -4868,18 +4896,28 @@ onig_search_with_param(regex_t* reg, con + + if (reg->optimize != OPTIMIZE_NONE) { + UChar *low, *high, *adjrange, *sch_start; ++ const UChar *min_range; + + if (range < end) + adjrange = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, str, range); + else + adjrange = (UChar* )end; + ++ if (end - range > reg->dmin) ++ min_range = range + reg->dmin; ++ else ++ min_range = end; ++ + if (reg->dmax != INFINITE_LEN && + (end - range) >= reg->threshold_len) { + do { +- sch_start = s + reg->dmax; +- if (sch_start > end) sch_start = (UChar* )end; +- if (backward_search_range(reg, str, end, sch_start, range, adjrange, ++ if (end - s > reg->dmax) ++ sch_start = s + reg->dmax; ++ else { ++ sch_start = (UChar* )end; ++ } ++ ++ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, + &low, &high) <= 0) + goto mismatch; + +@@ -4897,19 +4935,7 @@ onig_search_with_param(regex_t* reg, con + else { /* check only. */ + if ((end - range) < reg->threshold_len) goto mismatch; + +- sch_start = s; +- if (reg->dmax != 0) { +- if (reg->dmax == INFINITE_LEN) +- sch_start = (UChar* )end; +- else { +- sch_start += reg->dmax; +- if (sch_start > end) sch_start = (UChar* )end; +- else +- sch_start = ONIGENC_LEFT_ADJUST_CHAR_HEAD(reg->enc, +- start, sch_start); +- } +- } +- if (backward_search_range(reg, str, end, sch_start, range, adjrange, ++ if (backward_search_range(reg, str, end, sch_start, min_range, adjrange, + &low, &high) <= 0) goto mismatch; + } + } diff --git a/oniguruma.spec b/oniguruma.spec index 2c090c0..879fbcc 100644 --- a/oniguruma.spec +++ b/oniguruma.spec @@ -1,6 +1,6 @@ Name: oniguruma Version: 6.9.0 -Release: 2 +Release: 3 Summary: Regular expressions library License: BSD URL: https://github.com/kkos/oniguruma/ @@ -15,6 +15,7 @@ Patch0004: CVE-2019-16163.patch Patch0005: CVE-2019-19203.patch Patch0006: CVE-2019-19204.patch Patch0007: CVE-2019-19246.patch +Patch0008: CVE-2019-19012.patch %description Oniguruma is a regular expressions library. @@ -70,6 +71,9 @@ make check %doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE %changelog +* Mon Jan 04 2020 wangxiao - 6.9.0-3 +- fix CVE-2019-19012 + * Thu Mar 12 2020 openEuler Buildteam - 6.9.0-2 - Add CVE patches