From 5ed8bad6a362c8a77cbd40196cd8867681029bcd Mon Sep 17 00:00:00 2001 From: "K.Kosako" Date: Thu, 27 Jun 2019 14:11:55 +0900 Subject: [PATCH] Fix CVE-2019-13225: problem in converting if-then-else pattern to bytecode. Signed-off-by: hanxinke --- src/regcomp.c | 24 +++++++++++++++++------- 1 file changed, 17 insertions(+), 7 deletions(-) diff --git a/src/regcomp.c b/src/regcomp.c index 83b9252..6c9da7e 100644 --- a/src/regcomp.c +++ b/src/regcomp.c @@ -1100,8 +1100,9 @@ compile_length_enclosure_node(EnclosureNode* node, regex_t* reg) len += tlen; } + len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END; + if (IS_NOT_NULL(Else)) { - len += SIZE_OP_JUMP; tlen = compile_length_tree(Else, reg); if (tlen < 0) return tlen; len += tlen; @@ -1243,7 +1244,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) case ENCLOSURE_IF_ELSE: { - int cond_len, then_len, jump_len; + int cond_len, then_len, else_len, jump_len; Node* cond = NODE_ENCLOSURE_BODY(node); Node* Then = node->te.Then; Node* Else = node->te.Else; @@ -1260,8 +1261,7 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) else then_len = 0; - jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END; - if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP; + jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP; r = add_opcode_rel_addr(reg, OP_PUSH, jump_len); if (r != 0) return r; @@ -1276,9 +1276,19 @@ compile_enclosure_node(EnclosureNode* node, regex_t* reg, ScanEnv* env) } if (IS_NOT_NULL(Else)) { - int else_len = compile_length_tree(Else, reg); - r = add_opcode_rel_addr(reg, OP_JUMP, else_len); - if (r != 0) return r; + else_len = compile_length_tree(Else, reg); + if (else_len < 0) return else_len; + } + else + else_len = 0; + + r = add_opcode_rel_addr(reg, OP_JUMP, else_len + SIZE_OP_ATOMIC_END); + if (r != 0) return r; + + r = add_opcode(reg, OP_ATOMIC_END); + if (r != 0) return r; + + if (IS_NOT_NULL(Else)) { r = compile_tree(Else, reg, env); } } -- 2.0.1