openeuler-ci-bot
Gitee
commit
f11ecfe4e1
55
CVE-2019-16163.patch
Normal file
55
CVE-2019-16163.patch
Normal file
@ -0,0 +1,55 @@
|
||||
From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Mon, 29 Jul 2019 12:52:56 +0900
|
||||
Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing
|
||||
functions in regcomp.c making recursive calls to themselves.
|
||||
|
||||
---
|
||||
src/regparse.c | 11 ++++++++++-
|
||||
1 file changed, 10 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/regparse.c b/src/regparse.c
|
||||
index 3689519..9652bfd 100644
|
||||
--- a/src/regparse.c
|
||||
+++ b/src/regparse.c
|
||||
@@ -6190,6 +6190,7 @@ parse_char_class(Node** np, OnigToken* tok, UChar** src, UChar* end, ScanEnv* en
|
||||
env->parse_depth++;
|
||||
if (env->parse_depth > ParseDepthLimit)
|
||||
return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
|
||||
+
|
||||
prev_cc = (CClassNode* )NULL;
|
||||
r = fetch_token_in_cc(tok, src, end, env);
|
||||
if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
|
||||
@@ -7714,13 +7715,17 @@ static int
|
||||
parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end,
|
||||
ScanEnv* env)
|
||||
{
|
||||
- int r, len, group = 0;
|
||||
+ int r, len, group;
|
||||
Node* qn;
|
||||
Node** targetp;
|
||||
+ unsigned int parse_depth;
|
||||
|
||||
+ group = 0;
|
||||
*np = NULL;
|
||||
if (tok->type == (enum TokenSyms )term)
|
||||
goto end_of_token;
|
||||
+
|
||||
+ parse_depth = env->parse_depth;
|
||||
|
||||
switch (tok->type) {
|
||||
case TK_ALT:
|
||||
@@ -8028,6 +8033,10 @@ parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end,
|
||||
if (is_invalid_quantifier_target(*targetp))
|
||||
return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
|
||||
|
||||
+ parse_depth++;
|
||||
+ if (parse_depth > ParseDepthLimit)
|
||||
+ return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
|
||||
+
|
||||
qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
|
||||
(r == TK_INTERVAL ? 1 : 0));
|
||||
CHECK_NULL_RETURN_MEMERR(qn);
|
||||
--
|
||||
2.19.1
|
||||
|
||||
126
CVE-2019-19203.patch
Normal file
126
CVE-2019-19203.patch
Normal file
@ -0,0 +1,126 @@
|
||||
From aa0188eaedc056dca8374ac03d0177429b495515 Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Thu, 7 Nov 2019 14:13:55 +0900
|
||||
Subject: [PATCH] fix #163: heap-buffer-overflow in gb18030_mbc_enc_len
|
||||
|
||||
---
|
||||
src/gb18030.c | 16 +++++++++++++++-
|
||||
src/regparse.c | 32 ++++++++++++++++++++++----------
|
||||
2 files changed, 37 insertions(+), 11 deletions(-)
|
||||
|
||||
diff --git a/src/gb18030.c b/src/gb18030.c
|
||||
index ad5bf96..da6cfab 100644
|
||||
--- a/src/gb18030.c
|
||||
+++ b/src/gb18030.c
|
||||
@@ -75,6 +75,20 @@ gb18030_mbc_enc_len(const UChar* p)
|
||||
return 2;
|
||||
}
|
||||
|
||||
+static int
|
||||
+gb18030_code_to_mbclen(OnigCodePoint code)
|
||||
+{
|
||||
+ if ((code & 0xff000000) != 0) return 4;
|
||||
+ else if ((code & 0xff0000) != 0) return ONIGERR_INVALID_CODE_POINT_VALUE;
|
||||
+ else if ((code & 0xff00) != 0) return 2;
|
||||
+ else {
|
||||
+ if (GB18030_MAP[(int )(code & 0xff)] == CM)
|
||||
+ return ONIGERR_INVALID_CODE_POINT_VALUE;
|
||||
+
|
||||
+ return 1;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
static int
|
||||
is_valid_mbc_string(const UChar* p, const UChar* end)
|
||||
{
|
||||
@@ -513,7 +527,7 @@ OnigEncodingType OnigEncodingGB18030 = {
|
||||
1, /* min enc length */
|
||||
onigenc_is_mbc_newline_0x0a,
|
||||
gb18030_mbc_to_code,
|
||||
- onigenc_mb4_code_to_mbclen,
|
||||
+ gb18030_code_to_mbclen,
|
||||
gb18030_code_to_mbc,
|
||||
gb18030_mbc_case_fold,
|
||||
onigenc_ascii_apply_all_case_fold,
|
||||
diff --git a/src/regparse.c b/src/regparse.c
|
||||
index 70c36d5..5bf25e8 100644
|
||||
--- a/src/regparse.c
|
||||
+++ b/src/regparse.c
|
||||
@@ -5885,6 +5885,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
|
||||
|
||||
int c, r;
|
||||
int ascii_mode;
|
||||
+ int is_single;
|
||||
const OnigCodePoint *ranges;
|
||||
OnigCodePoint limit;
|
||||
OnigCodePoint sb_out;
|
||||
@@ -5906,6 +5907,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
|
||||
}
|
||||
|
||||
r = 0;
|
||||
+ is_single = ONIGENC_IS_SINGLEBYTE(enc);
|
||||
limit = ascii_mode ? ASCII_LIMIT : SINGLE_BYTE_SIZE;
|
||||
|
||||
switch (ctype) {
|
||||
@@ -5922,19 +5924,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
|
||||
case ONIGENC_CTYPE_ALNUM:
|
||||
if (not != 0) {
|
||||
for (c = 0; c < (int )limit; c++) {
|
||||
- if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
- BITSET_SET_BIT(cc->bs, c);
|
||||
+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) {
|
||||
+ if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
+ BITSET_SET_BIT(cc->bs, c);
|
||||
+ }
|
||||
}
|
||||
for (c = limit; c < SINGLE_BYTE_SIZE; c++) {
|
||||
- BITSET_SET_BIT(cc->bs, c);
|
||||
+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
|
||||
+ BITSET_SET_BIT(cc->bs, c);
|
||||
}
|
||||
|
||||
- ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
|
||||
+ if (is_single == 0)
|
||||
+ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
|
||||
}
|
||||
else {
|
||||
for (c = 0; c < (int )limit; c++) {
|
||||
- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
- BITSET_SET_BIT(cc->bs, c);
|
||||
+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) {
|
||||
+ if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
+ BITSET_SET_BIT(cc->bs, c);
|
||||
+ }
|
||||
}
|
||||
}
|
||||
break;
|
||||
@@ -5944,21 +5952,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
|
||||
case ONIGENC_CTYPE_WORD:
|
||||
if (not != 0) {
|
||||
for (c = 0; c < (int )limit; c++) {
|
||||
- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0 /* check invalid code point */
|
||||
+ /* check invalid code point */
|
||||
+ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
|
||||
&& ! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
BITSET_SET_BIT(cc->bs, c);
|
||||
}
|
||||
for (c = limit; c < SINGLE_BYTE_SIZE; c++) {
|
||||
- if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0)
|
||||
+ if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
|
||||
BITSET_SET_BIT(cc->bs, c);
|
||||
}
|
||||
+ if (ascii_mode != 0 && is_single == 0)
|
||||
+ ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
|
||||
}
|
||||
else {
|
||||
for (c = 0; c < (int )limit; c++) {
|
||||
- if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
+ if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
|
||||
+ && ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
|
||||
BITSET_SET_BIT(cc->bs, c);
|
||||
}
|
||||
- if (ascii_mode == 0)
|
||||
+ if (ascii_mode == 0 && is_single == 0)
|
||||
ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
|
||||
}
|
||||
break;
|
||||
23
CVE-2019-19204.patch
Normal file
23
CVE-2019-19204.patch
Normal file
@ -0,0 +1,23 @@
|
||||
From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Wed, 6 Nov 2019 17:32:29 +0900
|
||||
Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
|
||||
due to double PFETCH
|
||||
|
||||
---
|
||||
src/regparse.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/regparse.c b/src/regparse.c
|
||||
index 324c414..70c36d5 100644
|
||||
--- a/src/regparse.c
|
||||
+++ b/src/regparse.c
|
||||
@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
|
||||
if (PEND) goto invalid;
|
||||
PFETCH(c);
|
||||
if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
|
||||
- if (c != MC_ESC(env->syntax)) goto invalid;
|
||||
+ if (c != MC_ESC(env->syntax) || PEND) goto invalid;
|
||||
PFETCH(c);
|
||||
}
|
||||
if (c != '}') goto invalid;
|
||||
21
CVE-2019-19246.patch
Normal file
21
CVE-2019-19246.patch
Normal file
@ -0,0 +1,21 @@
|
||||
From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001
|
||||
From: "K.Kosako" <kosako@sofnec.co.jp>
|
||||
Date: Tue, 13 Aug 2019 13:37:30 +0900
|
||||
Subject: [PATCH] fix heap-buffer-overflow
|
||||
|
||||
---
|
||||
src/regexec.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/src/regexec.c b/src/regexec.c
|
||||
index 0753b07..634ee42 100644
|
||||
--- a/src/regexec.c
|
||||
+++ b/src/regexec.c
|
||||
@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
|
||||
lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
|
||||
q = lowbuf;
|
||||
while (lowlen > 0) {
|
||||
+ if (t >= tend) return 0;
|
||||
if (*t++ != *q++) return 0;
|
||||
lowlen--;
|
||||
}
|
||||
@ -1,6 +1,6 @@
|
||||
Name: oniguruma
|
||||
Version: 6.9.0
|
||||
Release: 1
|
||||
Release: 2
|
||||
Summary: Regular expressions library
|
||||
License: BSD
|
||||
URL: https://github.com/kkos/oniguruma/
|
||||
@ -11,6 +11,10 @@ BuildRequires: gcc
|
||||
Patch0001: CVE-2017-9228.patch
|
||||
Patch0002: CVE-2019-13224.patch
|
||||
Patch0003: CVE-2019-13225.patch
|
||||
Patch0004: CVE-2019-16163.patch
|
||||
Patch0005: CVE-2019-19203.patch
|
||||
Patch0006: CVE-2019-19204.patch
|
||||
Patch0007: CVE-2019-19246.patch
|
||||
|
||||
%description
|
||||
Oniguruma is a regular expressions library.
|
||||
@ -66,5 +70,8 @@ make check
|
||||
%doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE
|
||||
|
||||
%changelog
|
||||
* Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-2
|
||||
- Add CVE patches
|
||||
|
||||
* Wed Feb 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-1
|
||||
- Package init
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user