[pcre] Fix buffer over-read in UTF-16 and UTF-32 modes with JIT
Petr Pisar
ppisar at fedoraproject.org
Mon Jan 28 09:05:05 UTC 2013
commit 25b56008b2b00613b6c716804daf94c2f8783461
Author: Petr Písař <ppisar at redhat.com>
Date: Mon Jan 28 09:59:14 2013 +0100
Fix buffer over-read in UTF-16 and UTF-32 modes with JIT
...fer-over-read-issues-in-16-and-32-bit-mod.patch | 107 ++++++++++++++++++++
pcre.spec | 4 +
2 files changed, 111 insertions(+), 0 deletions(-)
---
diff --git a/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch b/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch
new file mode 100644
index 0000000..39f1a54
--- /dev/null
+++ b/pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch
@@ -0,0 +1,107 @@
+From be692806851f4883b87fc814adc80ab1bb46455e Mon Sep 17 00:00:00 2001
+From: zherczeg <zherczeg at 2f5784b3-3f2a-0410-8824-cb99058d5e15>
+Date: Sat, 26 Jan 2013 17:51:43 +0000
+Subject: [PATCH] Fix two buffer over read issues in 16 and 32 bit modes.
+ Affects JIT only.
+
+git-svn-id: svn://vcs.exim.org/pcre/code/trunk@1242 2f5784b3-3f2a-0410-8824-cb99058d5e15
+
+Petr Pisar: Ported to 8.32.
+
+diff --git a/pcre_jit_compile.c b/pcre_jit_compile.c
+index 3b83340..7dfe558 100644
+--- a/pcre_jit_compile.c
++++ b/pcre_jit_compile.c
+@@ -2696,10 +2696,10 @@ if (firstline)
+ {
+ SLJIT_ASSERT(common->first_line_end != 0);
+ OP1(SLJIT_MOV, TMP3, 0, STR_END, 0);
+- OP2(SLJIT_SUB, STR_END, 0, SLJIT_MEM1(SLJIT_LOCALS_REG), common->first_line_end, SLJIT_IMM, (location >> 1) - 1);
++ OP2(SLJIT_SUB, STR_END, 0, SLJIT_MEM1(SLJIT_LOCALS_REG), common->first_line_end, SLJIT_IMM, IN_UCHARS((location >> 1) - 1));
+ }
+ else
+- OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, (location >> 1) - 1);
++ OP2(SLJIT_SUB, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS((location >> 1) - 1));
+
+ start = LABEL();
+ quit = CMP(SLJIT_C_GREATER_EQUAL, STR_PTR, 0, STR_END, 0);
+@@ -2728,7 +2728,7 @@ JUMPHERE(quit);
+ if (firstline)
+ OP1(SLJIT_MOV, STR_END, 0, TMP3, 0);
+ else
+- OP2(SLJIT_ADD, STR_END, 0, STR_END, 0, SLJIT_IMM, (location >> 1) - 1);
++ OP2(SLJIT_ADD, STR_END, 0, STR_END, 0, SLJIT_IMM, IN_UCHARS((location >> 1) - 1));
+ return TRUE;
+ }
+
+@@ -3577,7 +3577,7 @@ do
+ #endif
+
+ context->length -= IN_UCHARS(1);
+-#if defined SLJIT_UNALIGNED && SLJIT_UNALIGNED
++#if (defined SLJIT_UNALIGNED && SLJIT_UNALIGNED) && (defined COMPILE_PCRE8 || defined COMPILE_PCRE16)
+
+ /* Unaligned read is supported. */
+ if (othercasebit != 0 && othercasechar == cc)
+@@ -3594,27 +3594,18 @@ do
+
+ #if defined COMPILE_PCRE8
+ if (context->ucharptr >= 4 || context->length == 0 || (context->ucharptr == 2 && context->length == 1))
+-#elif defined COMPILE_PCRE16
++#else
+ if (context->ucharptr >= 2 || context->length == 0)
+-#elif defined COMPILE_PCRE32
+- if (1 /* context->ucharptr >= 1 || context->length == 0 */)
+ #endif
+ {
+-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
+ if (context->length >= 4)
+ OP1(SLJIT_MOV_SI, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
+-#if defined COMPILE_PCRE8
+ else if (context->length >= 2)
+ OP1(SLJIT_MOV_UH, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
++#if defined COMPILE_PCRE8
+ else if (context->length >= 1)
+ OP1(SLJIT_MOV_UB, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
+-#elif defined COMPILE_PCRE16
+- else if (context->length >= 2)
+- OP1(SLJIT_MOV_UH, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
+-#endif /* COMPILE_PCRE[8|16] */
+-#elif defined COMPILE_PCRE32
+- OP1(MOV_UCHAR, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
+-#endif /* COMPILE_PCRE[8|16|32] */
++#endif /* COMPILE_PCRE8 */
+ context->sourcereg = context->sourcereg == TMP1 ? TMP2 : TMP1;
+
+ switch(context->ucharptr)
+@@ -3625,7 +3616,6 @@ do
+ add_jump(compiler, backtracks, CMP(SLJIT_C_NOT_EQUAL, context->sourcereg, 0, SLJIT_IMM, context->c.asint | context->oc.asint));
+ break;
+
+-#if defined COMPILE_PCRE8 || defined COMPILE_PCRE16
+ case 2 / sizeof(pcre_uchar):
+ if (context->oc.asushort != 0)
+ OP2(SLJIT_OR, context->sourcereg, 0, context->sourcereg, 0, SLJIT_IMM, context->oc.asushort);
+@@ -3640,8 +3630,6 @@ do
+ break;
+ #endif
+
+-#endif /* COMPILE_PCRE[8|16] */
+-
+ default:
+ SLJIT_ASSERT_STOP();
+ break;
+@@ -3651,8 +3639,8 @@ do
+
+ #else
+
+- /* Unaligned read is unsupported. */
+- if (context->length > 0)
++ /* Unaligned read is unsupported or in 32 bit mode. */
++ if (context->length >= 1)
+ OP1(MOV_UCHAR, context->sourcereg, 0, SLJIT_MEM1(STR_PTR), -context->length);
+
+ context->sourcereg = context->sourcereg == TMP1 ? TMP2 : TMP1;
+--
+1.8.1
+
diff --git a/pcre.spec b/pcre.spec
index b50fa9f..89a56ca 100644
--- a/pcre.spec
+++ b/pcre.spec
@@ -15,6 +15,8 @@ Patch0: pcre-8.21-multilib.patch
Patch1: pcre-8.32-refused_spelling_terminated.patch
# In upstream after 8.32
Patch2: pcre-8.32-Fix-forward-search-in-JIT-when-link-size-is-3-or-gre.patch
+# In upstream after 8.32
+Patch3: pcre-8.32-Fix-two-buffer-over-read-issues-in-16-and-32-bit-mod.patch
BuildRequires: readline-devel
# New libtool to get rid of rpath
BuildRequires: autoconf, automake, libtool
@@ -57,6 +59,7 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
%patch0 -p1 -b .multilib
%patch1 -p1 -b .terminated_typos
%patch2 -p1 -b .forward_jit
+%patch3 -p1 -b .buffer_over_read
# Because of rpath patch
libtoolize --copy --force && autoreconf -vif
# One contributor's name is non-UTF-8
@@ -122,6 +125,7 @@ make check
%changelog
* Mon Jan 28 2013 Petr Pisar <ppisar at redhat.com> - 8.32-4
- Fix forward search in JIT when link size is 3 or greater
+- Fix buffer over-read in UTF-16 and UTF-32 modes with JIT
* Fri Jan 25 2013 Peter Robinson <pbrobinson at fedoraproject.org> 8.32-3
- Adjust autoreconf to fix FTBFS on F-19
More information about the scm-commits
mailing list