From d81e3a8314e1be76946b7398753ebabf07fb82d8 Mon Sep 17 00:00:00 2001
From: xiaoweiwei <xiaoweiwei5@huawei.com>
Date: Thu, 12 Mar 2020 14:13:27 +0800
Subject: [PATCH] Add CVE patches

---
 CVE-2019-16163.patch |  55 +++++++++++++++++++
 CVE-2019-19203.patch | 126 +++++++++++++++++++++++++++++++++++++++++++
 CVE-2019-19204.patch |  23 ++++++++
 CVE-2019-19246.patch |  21 ++++++++
 oniguruma.spec       |   9 +++-
 5 files changed, 233 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-16163.patch
 create mode 100644 CVE-2019-19203.patch
 create mode 100644 CVE-2019-19204.patch
 create mode 100644 CVE-2019-19246.patch

diff --git a/CVE-2019-16163.patch b/CVE-2019-16163.patch
new file mode 100644
index 0000000..4fbce00
--- /dev/null
+++ b/CVE-2019-16163.patch
@@ -0,0 +1,55 @@
+From 4097828d7cc87589864fecf452f2cd46c5f37180 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Mon, 29 Jul 2019 12:52:56 +0900
+Subject: [PATCH] fix #147: Stack Exhaustion Problem caused by some parsing
+ functions in regcomp.c making recursive calls to themselves.
+
+---
+ src/regparse.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/src/regparse.c b/src/regparse.c
+index 3689519..9652bfd 100644
+--- a/src/regparse.c
++++ b/src/regparse.c
+@@ -6190,6 +6190,7 @@ parse_char_class(Node** np, OnigToken* tok, UChar** src, UChar* end, ScanEnv* en
+   env->parse_depth++;
+   if (env->parse_depth > ParseDepthLimit)
+     return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
++
+   prev_cc = (CClassNode* )NULL;
+   r = fetch_token_in_cc(tok, src, end, env);
+   if (r == TK_CHAR && tok->u.c == '^' && tok->escaped == 0) {
+@@ -7714,13 +7715,17 @@ static int
+ parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end,
+           ScanEnv* env)
+ {
+-  int r, len, group = 0;
++  int r, len, group;
+   Node* qn;
+   Node** targetp;
++  unsigned int parse_depth;
+ 
++  group = 0;
+   *np = NULL;
+   if (tok->type == (enum TokenSyms )term)
+     goto end_of_token;
++ 
++  parse_depth = env->parse_depth;
+ 
+   switch (tok->type) {
+   case TK_ALT:
+@@ -8028,6 +8033,10 @@ parse_exp(Node** np, OnigToken* tok, int term, UChar** src, UChar* end,
+       if (is_invalid_quantifier_target(*targetp))
+         return ONIGERR_TARGET_OF_REPEAT_OPERATOR_INVALID;
+ 
++      parse_depth++;
++      if (parse_depth > ParseDepthLimit)
++	      return ONIGERR_PARSE_DEPTH_LIMIT_OVER;
++
+       qn = node_new_quantifier(tok->u.repeat.lower, tok->u.repeat.upper,
+                                (r == TK_INTERVAL ? 1 : 0));
+       CHECK_NULL_RETURN_MEMERR(qn);
+-- 
+2.19.1
+
diff --git a/CVE-2019-19203.patch b/CVE-2019-19203.patch
new file mode 100644
index 0000000..36c1d91
--- /dev/null
+++ b/CVE-2019-19203.patch
@@ -0,0 +1,126 @@
+From aa0188eaedc056dca8374ac03d0177429b495515 Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Thu, 7 Nov 2019 14:13:55 +0900
+Subject: [PATCH] fix #163: heap-buffer-overflow in gb18030_mbc_enc_len
+
+---
+ src/gb18030.c  | 16 +++++++++++++++-
+ src/regparse.c | 32 ++++++++++++++++++++++----------
+ 2 files changed, 37 insertions(+), 11 deletions(-)
+
+diff --git a/src/gb18030.c b/src/gb18030.c
+index ad5bf96..da6cfab 100644
+--- a/src/gb18030.c
++++ b/src/gb18030.c
+@@ -75,6 +75,20 @@ gb18030_mbc_enc_len(const UChar* p)
+   return 2;
+ }
+ 
++static int
++gb18030_code_to_mbclen(OnigCodePoint code)
++{
++       if ((code & 0xff000000) != 0) return 4;
++  else if ((code &   0xff0000) != 0) return ONIGERR_INVALID_CODE_POINT_VALUE;
++  else if ((code &     0xff00) != 0) return 2;
++  else {
++    if (GB18030_MAP[(int )(code & 0xff)] == CM)
++      return ONIGERR_INVALID_CODE_POINT_VALUE;
++
++    return 1;
++  }
++}
++
+ static int
+ is_valid_mbc_string(const UChar* p, const UChar* end)
+ {
+@@ -513,7 +527,7 @@ OnigEncodingType OnigEncodingGB18030 = {
+   1,          /* min enc length */
+   onigenc_is_mbc_newline_0x0a,
+   gb18030_mbc_to_code,
+-  onigenc_mb4_code_to_mbclen,
++  gb18030_code_to_mbclen,
+   gb18030_code_to_mbc,
+   gb18030_mbc_case_fold,
+   onigenc_ascii_apply_all_case_fold,
+diff --git a/src/regparse.c b/src/regparse.c
+index 70c36d5..5bf25e8 100644
+--- a/src/regparse.c
++++ b/src/regparse.c
+@@ -5885,6 +5885,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
+ 
+   int c, r;
+   int ascii_mode;
++  int is_single;
+   const OnigCodePoint *ranges;
+   OnigCodePoint limit;
+   OnigCodePoint sb_out;
+@@ -5906,6 +5907,7 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
+   }
+ 
+   r = 0;
++  is_single = ONIGENC_IS_SINGLEBYTE(enc);
+   limit = ascii_mode ? ASCII_LIMIT : SINGLE_BYTE_SIZE;
+ 
+   switch (ctype) {
+@@ -5922,19 +5924,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
+   case ONIGENC_CTYPE_ALNUM:
+     if (not != 0) {
+       for (c = 0; c < (int )limit; c++) {
+-        if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
+-          BITSET_SET_BIT(cc->bs, c);
++        if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) {
++          if (! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
++            BITSET_SET_BIT(cc->bs, c);
++        }
+       }
+       for (c = limit; c < SINGLE_BYTE_SIZE; c++) {
+-        BITSET_SET_BIT(cc->bs, c);
++        if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
++          BITSET_SET_BIT(cc->bs, c);
+       }
+ 
+-      ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
++      if (is_single == 0)
++        ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
+     }
+     else {
+       for (c = 0; c < (int )limit; c++) {
+-        if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
+-          BITSET_SET_BIT(cc->bs, c);
++        if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1) {
++          if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
++            BITSET_SET_BIT(cc->bs, c);
++        }
+       }
+     }
+     break;
+@@ -5944,21 +5952,25 @@ add_ctype_to_cc(CClassNode* cc, int ctype, int not, ScanEnv* env)
+   case ONIGENC_CTYPE_WORD:
+     if (not != 0) {
+       for (c = 0; c < (int )limit; c++) {
+-        if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0 /* check invalid code point */
++        /* check invalid code point */
++        if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
+             && ! ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
+           BITSET_SET_BIT(cc->bs, c);
+       }
+       for (c = limit; c < SINGLE_BYTE_SIZE; c++) {
+-        if (ONIGENC_CODE_TO_MBCLEN(enc, c) > 0)
++        if (is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
+           BITSET_SET_BIT(cc->bs, c);
+       }
++      if (ascii_mode != 0 && is_single == 0)
++        ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
+     }
+     else {
+       for (c = 0; c < (int )limit; c++) {
+-        if (ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
++        if ((is_single != 0 || ONIGENC_CODE_TO_MBCLEN(enc, c) == 1)
++            && ONIGENC_IS_CODE_CTYPE(enc, (OnigCodePoint )c, ctype))
+           BITSET_SET_BIT(cc->bs, c);
+       }
+-      if (ascii_mode == 0)
++      if (ascii_mode == 0 && is_single == 0)
+         ADD_ALL_MULTI_BYTE_RANGE(enc, cc->mbuf);
+     }
+     break;
diff --git a/CVE-2019-19204.patch b/CVE-2019-19204.patch
new file mode 100644
index 0000000..db32ec9
--- /dev/null
+++ b/CVE-2019-19204.patch
@@ -0,0 +1,23 @@
+From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Wed, 6 Nov 2019 17:32:29 +0900
+Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
+ due to double PFETCH
+
+---
+ src/regparse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/regparse.c b/src/regparse.c
+index 324c414..70c36d5 100644
+--- a/src/regparse.c
++++ b/src/regparse.c
+@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
+   if (PEND) goto invalid;
+   PFETCH(c);
+   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
+-    if (c != MC_ESC(env->syntax)) goto invalid;
++    if (c != MC_ESC(env->syntax) || PEND) goto invalid;
+     PFETCH(c);
+   }
+   if (c != '}') goto invalid;
diff --git a/CVE-2019-19246.patch b/CVE-2019-19246.patch
new file mode 100644
index 0000000..78bc3ac
--- /dev/null
+++ b/CVE-2019-19246.patch
@@ -0,0 +1,21 @@
+From d3e402928b6eb3327f8f7d59a9edfa622fec557b Mon Sep 17 00:00:00 2001
+From: "K.Kosako" <kosako@sofnec.co.jp>
+Date: Tue, 13 Aug 2019 13:37:30 +0900
+Subject: [PATCH] fix heap-buffer-overflow
+
+---
+ src/regexec.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/regexec.c b/src/regexec.c
+index 0753b07..634ee42 100644
+--- a/src/regexec.c
++++ b/src/regexec.c
+@@ -4196,6 +4196,7 @@ str_lower_case_match(OnigEncoding enc, int case_fold_flag,
+     lowlen = ONIGENC_MBC_CASE_FOLD(enc, case_fold_flag, &p, end, lowbuf);
+     q = lowbuf;
+     while (lowlen > 0) {
++      if (t >= tend)    return 0;
+       if (*t++ != *q++) return 0;
+       lowlen--;
+     }
diff --git a/oniguruma.spec b/oniguruma.spec
index 6a32527..2c090c0 100644
--- a/oniguruma.spec
+++ b/oniguruma.spec
@@ -1,6 +1,6 @@
 Name:		    oniguruma
 Version:	    6.9.0
-Release:	    1
+Release:	    2
 Summary:	    Regular expressions library
 License:	    BSD
 URL:		    https://github.com/kkos/oniguruma/
@@ -11,6 +11,10 @@ BuildRequires:	gcc
 Patch0001:      CVE-2017-9228.patch
 Patch0002:      CVE-2019-13224.patch
 Patch0003:      CVE-2019-13225.patch
+Patch0004:      CVE-2019-16163.patch
+Patch0005:      CVE-2019-19203.patch
+Patch0006:      CVE-2019-19204.patch
+Patch0007:      CVE-2019-19246.patch
 
 %description
 Oniguruma is a regular expressions library.
@@ -66,5 +70,8 @@ make check
 %doc HISTORY README.md index.html doc/API doc/CALLOUTS.API doc/CALLOUTS.BUILTIN doc/FAQ doc/RE
 
 %changelog
+* Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-2
+- Add CVE patches
+
 * Wed Feb 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 6.9.0-1
 - Package init