92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
From 9a96e864885ccc3b19d360ba410a562eb7c5dc45 Mon Sep 17 00:00:00 2001
|
|
From: gwx620998 <gulining1@huawei.com>
|
|
Date: Sat, 23 Mar 2019 03:34:11 -0400
|
|
Subject: [PATCH] CVE-2019-9023
|
|
|
|
Signed-off-by: gwx620998 <gulining1@huawei.com>
|
|
---
|
|
ext/mbstring/oniguruma/src/regcomp.c | 3 +++
|
|
ext/mbstring/oniguruma/src/regparse.c | 2 ++
|
|
ext/mbstring/oniguruma/src/unicode.c | 1 +
|
|
ext/mbstring/oniguruma/src/utf32_be.c | 3 ++-
|
|
4 files changed, 8 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
|
|
index 0e9a9ab..cf914cc 100644
|
|
--- a/ext/mbstring/oniguruma/src/regcomp.c
|
|
+++ b/ext/mbstring/oniguruma/src/regcomp.c
|
|
@@ -476,6 +476,7 @@ compile_length_string_node(Node* node, regex_t* reg)
|
|
|
|
for (; p < sn->end; ) {
|
|
len = enclen(enc, p);
|
|
+ if (p + len > sn->end) len = sn->end - p;
|
|
if (len == prev_len) {
|
|
slen++;
|
|
}
|
|
@@ -524,6 +525,7 @@ compile_string_node(Node* node, regex_t* reg)
|
|
|
|
for (; p < end; ) {
|
|
len = enclen(enc, p);
|
|
+ if (p + len > end) len = end - p;
|
|
if (len == prev_len) {
|
|
slen++;
|
|
}
|
|
@@ -3436,6 +3438,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
|
|
}
|
|
|
|
len = enclen(reg->enc, p);
|
|
+ if (p + len > end) len = end - p;
|
|
|
|
if (n == 0) {
|
|
if (IS_NULL(snode)) {
|
|
diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c
|
|
index 8153513..9393b9d 100644
|
|
--- a/ext/mbstring/oniguruma/src/regparse.c
|
|
+++ b/ext/mbstring/oniguruma/src/regparse.c
|
|
@@ -3594,6 +3594,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
|
|
}
|
|
else { /* string */
|
|
p = tok->backp + enclen(enc, tok->backp);
|
|
+ if (p > end) p = end;
|
|
}
|
|
}
|
|
break;
|
|
@@ -3763,6 +3764,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
|
|
out:
|
|
#endif
|
|
*src = p;
|
|
+ if (*src > end) *src = end;
|
|
return tok->type;
|
|
}
|
|
|
|
diff --git a/ext/mbstring/oniguruma/src/unicode.c b/ext/mbstring/oniguruma/src/unicode.c
|
|
index 8812ca2..cbdc42f 100644
|
|
--- a/ext/mbstring/oniguruma/src/unicode.c
|
|
+++ b/ext/mbstring/oniguruma/src/unicode.c
|
|
@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
|
|
|
|
code = ONIGENC_MBC_TO_CODE(enc, p, end);
|
|
len = enclen(enc, p);
|
|
+ if (*pp + len > end) len = end - *pp;
|
|
*pp += len;
|
|
|
|
#ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
|
|
diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c
|
|
index d0c7f39..4cf6fed 100644
|
|
--- a/ext/mbstring/oniguruma/src/utf32_be.c
|
|
+++ b/ext/mbstring/oniguruma/src/utf32_be.c
|
|
@@ -65,8 +65,9 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
|
|
}
|
|
|
|
static OnigCodePoint
|
|
-utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
|
|
+utf32be_mbc_to_code(const UChar* p, const UChar* end)
|
|
{
|
|
+ if (p + 4 > end) return (OnigCodePoint ) NULL;
|
|
return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
|
|
}
|
|
|
|
--
|
|
1.8.3.1
|
|
|