erack pushed to icu (f22). "Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 10 13:40:19 UTC 2015
>From 9270c935d93ca3c9c9f49bb5662677d3315a4822 Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack at redhat.com>
Date: Fri, 10 Apr 2015 14:58:51 +0200
Subject: Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654
diff --git a/icu.changeset_36724.patch b/icu.changeset_36724.patch
new file mode 100644
index 0000000..82e0f21
--- /dev/null
+++ b/icu.changeset_36724.patch
@@ -0,0 +1,39 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp (revision 36723)
++++ icu/source/i18n/regexcmp.cpp (revision 36724)
+@@ -2136,4 +2136,8 @@
+ int32_t minML = minMatchLength(fMatchOpenParen, patEnd);
+ int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd);
++ if (URX_TYPE(maxML) != 0) {
++ error(U_REGEX_LOOK_BEHIND_LIMIT);
++ break;
++ }
+ if (maxML == INT32_MAX) {
+ error(U_REGEX_LOOK_BEHIND_LIMIT);
+@@ -2169,4 +2173,8 @@
+ int32_t minML = minMatchLength(fMatchOpenParen, patEnd);
+ int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd);
++ if (URX_TYPE(maxML) != 0) {
++ error(U_REGEX_LOOK_BEHIND_LIMIT);
++ break;
++ }
+ if (maxML == INT32_MAX) {
+ error(U_REGEX_LOOK_BEHIND_LIMIT);
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt (revision 36723)
++++ icu/source/test/testdata/regextst.txt (revision 36724)
+@@ -1201,4 +1201,12 @@
+ "A|B|\U00012345" "hello <0>\U00012345</0>"
+ "A|B|\U00010000" "hello \ud800"
++
++# Bug 11370
++# Max match length computation of look-behind expression gives result that is too big to fit in the
++# in the 24 bit operand portion of the compiled code. Expressions should fail to compile
++# (Look-behind match length must be bounded. This case is treated as unbounded, an error.)
++
++"(?<!(0123456789a){10000000})x" E "no match"
++"(?<!\\ubeaf(\\ubeaf{11000}){11000})" E "no match"
+
+ # Random debugging, Temporary
diff --git a/icu.changeset_36727.patch b/icu.changeset_36727.patch
new file mode 100644
index 0000000..1b8e01e
--- /dev/null
+++ b/icu.changeset_36727.patch
@@ -0,0 +1,55 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp (revision 36726)
++++ icu/source/i18n/regexcmp.cpp (revision 36727)
+@@ -2340,5 +2340,13 @@
+ if (fIntervalUpper == 0) {
+ // Pathological case. Attempt no matches, as if the block doesn't exist.
++ // Discard the generated code for the block.
++ // If the block included parens, discard the info pertaining to them as well.
+ fRXPat->fCompiledPat->setSize(topOfBlock);
++ if (fMatchOpenParen >= topOfBlock) {
++ fMatchOpenParen = -1;
++ }
++ if (fMatchCloseParen >= topOfBlock) {
++ fMatchCloseParen = -1;
++ }
+ return TRUE;
+ }
+Index: icu/source/i18n/regexcmp.h
+===================================================================
+--- icu/source/i18n/regexcmp.h (revision 36726)
++++ icu/source/i18n/regexcmp.h (revision 36727)
+@@ -188,5 +188,7 @@
+ // of the slot reserved for a state save
+ // at the start of the most recently processed
+- // parenthesized block.
++ // parenthesized block. Updated when processing
++ // a close to the location for the corresponding open.
++
+ int32_t fMatchCloseParen; // The position in the pattern of the first
+ // location after the most recently processed
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt (revision 36726)
++++ icu/source/test/testdata/regextst.txt (revision 36727)
+@@ -1202,4 +1202,13 @@
+ "A|B|\U00010000" "hello \ud800"
+
++# Bug 11369
++# Incorrect optimization of patterns with a zero length quantifier {0}
++
++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE"
++"(|b)ab(c)" "<0><1></1>ab<2>c</2></0>"
++"(|b){0}a{3}(D*)" "<0>aaa<2></2></0>"
++"(|b){0,1}a{3}(D*)" "<0><1></1>aaa<2></2></0>"
++"((|b){0})a{3}(D*)" "<0><1></1>aaa<3></3></0>"
++
+ # Bug 11370
+ # Max match length computation of look-behind expression gives result that is too big to fit in the
+@@ -1209,4 +1218,5 @@
+ "(?<!(0123456789a){10000000})x" E "no match"
+ "(?<!\\ubeaf(\\ubeaf{11000}){11000})" E "no match"
++
+
+ # Random debugging, Temporary
diff --git a/icu.changeset_36801.patch b/icu.changeset_36801.patch
new file mode 100644
index 0000000..4a926d9
--- /dev/null
+++ b/icu.changeset_36801.patch
@@ -0,0 +1,1222 @@
+diff -ru icu/source/common/unicode/utypes.h icu/source/common/unicode/utypes.h
+--- icu/source/common/unicode/utypes.h 2014-10-03 18:11:02.000000000 +0200
++++ icu/source/common/unicode/utypes.h 2015-04-10 15:28:06.149993491 +0200
+@@ -647,6 +647,7 @@
+ U_REGEX_STACK_OVERFLOW, /**< Regular expression backtrack stack overflow. */
+ U_REGEX_TIME_OUT, /**< Maximum allowed match time exceeded */
+ U_REGEX_STOPPED_BY_CALLER, /**< Matching operation aborted by user callback fn. */
++ U_REGEX_PATTERN_TOO_BIG, /**< Pattern exceeds limits on size or complexity. @draft ICU 55 */
+ U_REGEX_ERROR_LIMIT, /**< This must always be the last value to indicate the limit for regexp errors */
+
+ /*
+diff -ru icu/source/common/utypes.c icu/source/common/utypes.c
+--- icu/source/common/utypes.c 2014-10-03 18:11:14.000000000 +0200
++++ icu/source/common/utypes.c 2015-04-10 15:28:06.149993491 +0200
+@@ -1,7 +1,7 @@
+ /*
+ ******************************************************************************
+ *
+-* Copyright (C) 1997-2011, International Business Machines
++* Copyright (C) 1997-2014, International Business Machines
+ * Corporation and others. All Rights Reserved.
+ *
+ ******************************************************************************
+@@ -165,7 +165,8 @@
+ "U_REGEX_INVALID_RANGE",
+ "U_REGEX_STACK_OVERFLOW",
+ "U_REGEX_TIME_OUT",
+- "U_REGEX_STOPPED_BY_CALLER"
++ "U_REGEX_STOPPED_BY_CALLER",
++ "U_REGEX_PATTERN_TOO_BIG"
+ };
+
+ static const char * const
+diff -ru icu/source/i18n/regexcmp.cpp icu/source/i18n/regexcmp.cpp
+--- icu/source/i18n/regexcmp.cpp 2015-04-10 15:27:31.369772849 +0200
++++ icu/source/i18n/regexcmp.cpp 2015-04-10 15:28:06.152993511 +0200
+@@ -301,7 +301,7 @@
+ // present in the saved state: the input string position (int64_t) and
+ // the position in the compiled pattern.
+ //
+- fRXPat->fFrameSize+=RESTACKFRAME_HDRCOUNT;
++ allocateStackData(RESTACKFRAME_HDRCOUNT);
+
+ //
+ // Optimization pass 1: NOPs, back-references, and case-folding
+@@ -367,9 +367,9 @@
+ // the start of an ( grouping.
+ //4 NOP Resreved, will be replaced by a save if there are
+ // OR | operators at the top level
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_STATE_SAVE, 2), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_JMP, 3), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_FAIL, 0), *fStatus);
++ appendOp(URX_STATE_SAVE, 2);
++ appendOp(URX_JMP, 3);
++ appendOp(URX_FAIL, 0);
+
+ // Standard open nonCapture paren action emits the two NOPs and
+ // sets up the paren stack frame.
+@@ -392,7 +392,7 @@
+ }
+
+ // add the END operation to the compiled pattern.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_END, 0), *fStatus);
++ appendOp(URX_END, 0);
+
+ // Terminate the pattern compilation state machine.
+ returnVal = FALSE;
+@@ -414,14 +414,13 @@
+ int32_t savePosition = fParenStack.popi();
+ int32_t op = (int32_t)fRXPat->fCompiledPat->elementAti(savePosition);
+ U_ASSERT(URX_TYPE(op) == URX_NOP); // original contents of reserved location
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1);
++ op = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1);
+ fRXPat->fCompiledPat->setElementAt(op, savePosition);
+
+ // Append an JMP operation into the compiled pattern. The operand for
+ // the JMP will eventually be the location following the ')' for the
+ // group. This will be patched in later, when the ')' is encountered.
+- op = URX_BUILD(URX_JMP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, 0);
+
+ // Push the position of the newly added JMP op onto the parentheses stack.
+ // This registers if for fixup when this block's close paren is encountered.
+@@ -430,7 +429,7 @@
+ // Append a NOP to the compiled pattern. This is the slot reserved
+ // for a SAVE in the event that there is yet another '|' following
+ // this one.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
+ fParenStack.push(fRXPat->fCompiledPat->size()-1, *fStatus);
+ }
+ break;
+@@ -456,12 +455,10 @@
+ // END_CAPTURE is encountered.
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- int32_t varsLoc = fRXPat->fFrameSize; // Reserve three slots in match stack frame.
+- fRXPat->fFrameSize += 3;
+- int32_t cop = URX_BUILD(URX_START_CAPTURE, varsLoc);
+- fRXPat->fCompiledPat->addElement(cop, *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ int32_t varsLoc = allocateStackData(3); // Reserve three slots in match stack frame.
++ appendOp(URX_START_CAPTURE, varsLoc);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the two NOPs. Depending on what follows in the pattern, the
+@@ -486,8 +483,8 @@
+ // is an '|' alternation within the parens.
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the two NOPs.
+@@ -509,12 +506,10 @@
+ // is an '|' alternation within the parens.
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the
+- fRXPat->fDataSize += 1; // state stack ptr.
+- int32_t stoOp = URX_BUILD(URX_STO_SP, varLoc);
+- fRXPat->fCompiledPat->addElement(stoOp, *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the state stack ptr.
++ appendOp(URX_STO_SP, varLoc);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the two NOPs. Depending on what follows in the pattern, the
+@@ -557,26 +552,14 @@
+ // Two data slots are reserved, for saving the stack ptr and the input position.
+ {
+ fixLiterals();
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 2;
+- int32_t op = URX_BUILD(URX_LA_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_JMP, fRXPat->fCompiledPat->size()+ 3);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_BACKTRACK, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ int32_t dataLoc = allocateData(2);
++ appendOp(URX_LA_START, dataLoc);
++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2);
++ appendOp(URX_JMP, fRXPat->fCompiledPat->size()+ 3);
++ appendOp(URX_LA_END, dataLoc);
++ appendOp(URX_BACKTRACK, 0);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the NOPs.
+@@ -601,16 +584,10 @@
+ // an alternate (transparent) region.
+ {
+ fixLiterals();
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 2;
+- int32_t op = URX_BUILD(URX_LA_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_STATE_SAVE, 0); // dest address will be patched later.
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ int32_t dataLoc = allocateData(2);
++ appendOp(URX_LA_START, dataLoc);
++ appendOp(URX_STATE_SAVE, 0); // dest address will be patched later.
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the StateSave and NOP.
+@@ -648,23 +625,19 @@
+ fixLiterals();
+
+ // Allocate data space
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 4;
++ int32_t dataLoc = allocateData(4);
+
+ // Emit URX_LB_START
+- int32_t op = URX_BUILD(URX_LB_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_START, dataLoc);
+
+ // Emit URX_LB_CONT
+- op = URX_BUILD(URX_LB_CONT, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later.
+-
+- // Emit the NOP
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_CONT, dataLoc);
++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later.
++
++ // Emit the NOPs
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the URX_LB_CONT and the NOP.
+@@ -704,24 +677,20 @@
+ fixLiterals();
+
+ // Allocate data space
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 4;
++ int32_t dataLoc = allocateData(4);
+
+ // Emit URX_LB_START
+- int32_t op = URX_BUILD(URX_LB_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_START, dataLoc);
+
+ // Emit URX_LBN_CONT
+- op = URX_BUILD(URX_LBN_CONT, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // Continue Loc. To be filled later.
+-
+- // Emit the NOP
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LBN_CONT, dataLoc);
++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // Continue Loc. To be filled later.
++
++ // Emit the NOPs
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the URX_LB_CONT and the NOP.
+@@ -791,12 +760,9 @@
+
+ if (URX_TYPE(repeatedOp) == URX_SETREF) {
+ // Emit optimized code for [char set]+
+- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp));
+- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ appendOp(URX_LOOP_SR_I, URX_VAL(repeatedOp));
++ frameLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, frameLoc);
+ break;
+ }
+
+@@ -804,7 +770,7 @@
+ URX_TYPE(repeatedOp) == URX_DOTANY_ALL ||
+ URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) {
+ // Emit Optimized code for .+ operations.
+- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0);
++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0);
+ if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) {
+ // URX_LOOP_DOT_I operand is a flag indicating ". matches any" mode.
+ loopOpI |= 1;
+@@ -812,11 +778,9 @@
+ if (fModeFlags & UREGEX_UNIX_LINES) {
+ loopOpI |= 2;
+ }
+- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ appendOp(loopOpI);
++ frameLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, frameLoc);
+ break;
+ }
+
+@@ -830,18 +794,15 @@
+ // Zero length match is possible.
+ // Emit the code sequence that can handle it.
+ insertOp(topLoc);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
++ frameLoc = allocateStackData(1);
+
+- int32_t op = URX_BUILD(URX_STO_INP_LOC, frameLoc);
++ int32_t op = buildOp(URX_STO_INP_LOC, frameLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+- op = URX_BUILD(URX_JMP_SAV_X, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP_SAV_X, topLoc+1);
+ } else {
+ // Simpler code when the repeated body must match something non-empty
+- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, topLoc);
+- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus);
++ appendOp(URX_JMP_SAV, topLoc);
+ }
+ }
+ break;
+@@ -853,8 +814,7 @@
+ // 3. ...
+ {
+ int32_t topLoc = blockTopLoc(FALSE);
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, topLoc);
+- fRXPat->fCompiledPat->addElement(saveStateOp, *fStatus);
++ appendOp(URX_STATE_SAVE, topLoc);
+ }
+ break;
+
+@@ -868,7 +828,7 @@
+ // Insert the state save into the compiled pattern, and we're done.
+ {
+ int32_t saveStateLoc = blockTopLoc(TRUE);
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size());
++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size());
+ fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc);
+ }
+ break;
+@@ -887,14 +847,12 @@
+ int32_t jmp1_loc = blockTopLoc(TRUE);
+ int32_t jmp2_loc = fRXPat->fCompiledPat->size();
+
+- int32_t jmp1_op = URX_BUILD(URX_JMP, jmp2_loc+1);
++ int32_t jmp1_op = buildOp(URX_JMP, jmp2_loc+1);
+ fRXPat->fCompiledPat->setElementAt(jmp1_op, jmp1_loc);
+
+- int32_t jmp2_op = URX_BUILD(URX_JMP, jmp2_loc+2);
+- fRXPat->fCompiledPat->addElement(jmp2_op, *fStatus);
++ appendOp(URX_JMP, jmp2_loc+2);
+
+- int32_t save_op = URX_BUILD(URX_STATE_SAVE, jmp1_loc+1);
+- fRXPat->fCompiledPat->addElement(save_op, *fStatus);
++ appendOp(URX_STATE_SAVE, jmp1_loc+1);
+ }
+ break;
+
+@@ -934,12 +892,10 @@
+
+ if (URX_TYPE(repeatedOp) == URX_SETREF) {
+ // Emit optimized code for a [char set]*
+- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp));
++ int32_t loopOpI = buildOp(URX_LOOP_SR_I, URX_VAL(repeatedOp));
+ fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ dataLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, dataLoc);
+ break;
+ }
+
+@@ -947,7 +903,7 @@
+ URX_TYPE(repeatedOp) == URX_DOTANY_ALL ||
+ URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) {
+ // Emit Optimized code for .* operations.
+- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0);
++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0);
+ if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) {
+ // URX_LOOP_DOT_I operand is a flag indicating . matches any mode.
+ loopOpI |= 1;
+@@ -956,10 +912,8 @@
+ loopOpI |= 2;
+ }
+ fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ dataLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, dataLoc);
+ break;
+ }
+ }
+@@ -968,30 +922,29 @@
+ // The optimizations did not apply.
+
+ int32_t saveStateLoc = blockTopLoc(TRUE);
+- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, saveStateLoc+1);
++ int32_t jmpOp = buildOp(URX_JMP_SAV, saveStateLoc+1);
+
+ // Check for minimum match length of zero, which requires
+ // extra loop-breaking code.
+ if (minMatchLength(saveStateLoc, fRXPat->fCompiledPat->size()-1) == 0) {
+ insertOp(saveStateLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
++ dataLoc = allocateStackData(1);
+
+- int32_t op = URX_BUILD(URX_STO_INP_LOC, dataLoc);
++ int32_t op = buildOp(URX_STO_INP_LOC, dataLoc);
+ fRXPat->fCompiledPat->setElementAt(op, saveStateLoc+1);
+- jmpOp = URX_BUILD(URX_JMP_SAV_X, saveStateLoc+2);
++ jmpOp = buildOp(URX_JMP_SAV_X, saveStateLoc+2);
+ }
+
+ // Locate the position in the compiled pattern where the match will continue
+ // after completing the *. (4 or 5 in the comment above)
+ int32_t continueLoc = fRXPat->fCompiledPat->size()+1;
+
+- // Put together the save state op store it into the compiled code.
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, continueLoc);
++ // Put together the save state op and store it into the compiled code.
++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, continueLoc);
+ fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc);
+
+ // Append the URX_JMP_SAV or URX_JMPX operation to the compiled pattern.
+- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus);
++ appendOp(jmpOp);
+ }
+ break;
+
+@@ -1005,10 +958,9 @@
+ {
+ int32_t jmpLoc = blockTopLoc(TRUE); // loc 1.
+ int32_t saveLoc = fRXPat->fCompiledPat->size(); // loc 3.
+- int32_t jmpOp = URX_BUILD(URX_JMP, saveLoc);
+- int32_t stateSaveOp = URX_BUILD(URX_STATE_SAVE, jmpLoc+1);
++ int32_t jmpOp = buildOp(URX_JMP, saveLoc);
+ fRXPat->fCompiledPat->setElementAt(jmpOp, jmpLoc);
+- fRXPat->fCompiledPat->addElement(stateSaveOp, *fStatus);
++ appendOp(URX_STATE_SAVE, jmpLoc+1);
+ }
+ break;
+
+@@ -1077,9 +1029,9 @@
+
+ // First the STO_SP before the start of the loop
+ insertOp(topLoc);
+- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the
+- fRXPat->fDataSize += 1; // state stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, varLoc);
++
++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the
++ int32_t op = buildOp(URX_STO_SP, varLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ int32_t loopOp = (int32_t)fRXPat->fCompiledPat->popi();
+@@ -1088,8 +1040,7 @@
+ fRXPat->fCompiledPat->push(loopOp, *fStatus);
+
+ // Then the LD_SP after the end of the loop
+- op = URX_BUILD(URX_LD_SP, varLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, varLoc);
+ }
+
+ break;
+@@ -1125,55 +1076,49 @@
+ // scanned a ".", match any single character.
+ {
+ fixLiterals(FALSE);
+- int32_t op;
+ if (fModeFlags & UREGEX_DOTALL) {
+- op = URX_BUILD(URX_DOTANY_ALL, 0);
++ appendOp(URX_DOTANY_ALL, 0);
+ } else if (fModeFlags & UREGEX_UNIX_LINES) {
+- op = URX_BUILD(URX_DOTANY_UNIX, 0);
++ appendOp(URX_DOTANY_UNIX, 0);
+ } else {
+- op = URX_BUILD(URX_DOTANY, 0);
++ appendOp(URX_DOTANY, 0);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+ break;
+
+ case doCaret:
+ {
+ fixLiterals(FALSE);
+- int32_t op = 0;
+ if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_CARET;
++ appendOp(URX_CARET, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_CARET_M;
++ appendOp(URX_CARET_M, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_CARET; // Only testing true start of input.
++ appendOp(URX_CARET, 0); // Only testing true start of input.
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_CARET_M_UNIX;
++ appendOp(URX_CARET_M_UNIX, 0);
+ }
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
+ }
+ break;
+
+ case doDollar:
+ {
+ fixLiterals(FALSE);
+- int32_t op = 0;
+ if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_DOLLAR;
++ appendOp(URX_DOLLAR, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_DOLLAR_M;
++ appendOp(URX_DOLLAR_M, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_DOLLAR_D;
++ appendOp(URX_DOLLAR_D, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_DOLLAR_MD;
++ appendOp(URX_DOLLAR_MD, 0);
+ }
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
+ }
+ break;
+
+ case doBackslashA:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_CARET, 0), *fStatus);
++ appendOp(URX_CARET, 0);
+ break;
+
+ case doBackslashB:
+@@ -1185,7 +1130,7 @@
+ #endif
+ fixLiterals(FALSE);
+ int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B;
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 1), *fStatus);
++ appendOp(op, 1);
+ }
+ break;
+
+@@ -1198,63 +1143,59 @@
+ #endif
+ fixLiterals(FALSE);
+ int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B;
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
++ appendOp(op, 0);
+ }
+ break;
+
+ case doBackslashD:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 1), *fStatus);
++ appendOp(URX_BACKSLASH_D, 1);
+ break;
+
+ case doBackslashd:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 0), *fStatus);
++ appendOp(URX_BACKSLASH_D, 0);
+ break;
+
+ case doBackslashG:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_G, 0), *fStatus);
++ appendOp(URX_BACKSLASH_G, 0);
+ break;
+
+ case doBackslashS:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STAT_SETREF_N, URX_ISSPACE_SET), *fStatus);
++ appendOp(URX_STAT_SETREF_N, URX_ISSPACE_SET);
+ break;
+
+ case doBackslashs:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STATIC_SETREF, URX_ISSPACE_SET), *fStatus);
++ appendOp(URX_STATIC_SETREF, URX_ISSPACE_SET);
+ break;
+
+ case doBackslashW:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STAT_SETREF_N, URX_ISWORD_SET), *fStatus);
++ appendOp(URX_STAT_SETREF_N, URX_ISWORD_SET);
+ break;
+
+ case doBackslashw:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STATIC_SETREF, URX_ISWORD_SET), *fStatus);
++ appendOp(URX_STATIC_SETREF, URX_ISWORD_SET);
+ break;
+
+ case doBackslashX:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_X, 0), *fStatus);
++ appendOp(URX_BACKSLASH_X, 0);
+ break;
+
+
+ case doBackslashZ:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_DOLLAR, 0), *fStatus);
++ appendOp(URX_DOLLAR, 0);
+ break;
+
+ case doBackslashz:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_Z, 0), *fStatus);
++ appendOp(URX_BACKSLASH_Z, 0);
+ break;
+
+ case doEscapeError:
+@@ -1314,13 +1255,11 @@
+ U_ASSERT(groupNum > 0); // Shouldn't happen. '\0' begins an octal escape sequence,
+ // and shouldn't enter this code path at all.
+ fixLiterals(FALSE);
+- int32_t op;
+ if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+- op = URX_BUILD(URX_BACKREF_I, groupNum);
++ appendOp(URX_BACKREF_I, groupNum);
+ } else {
+- op = URX_BUILD(URX_BACKREF, groupNum);
++ appendOp(URX_BACKREF, groupNum);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+ break;
+
+@@ -1341,22 +1280,18 @@
+ {
+ // Emit the STO_SP
+ int32_t topLoc = blockTopLoc(TRUE);
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the STATE_SAVE
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2);
+
+ // Emit the JMP
+- op = URX_BUILD(URX_JMP, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, topLoc+1);
+
+ // Emit the LD_SP
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+
+@@ -1376,23 +1311,20 @@
+ insertOp(topLoc);
+
+ // emit STO_SP loc
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the SAVE_STATE 5
+ int32_t L7 = fRXPat->fCompiledPat->size()+1;
+- op = URX_BUILD(URX_STATE_SAVE, L7);
++ op = buildOp(URX_STATE_SAVE, L7);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc+1);
+
+ // Append the JMP operation.
+- op = URX_BUILD(URX_JMP, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, topLoc+1);
+
+ // Emit the LD_SP loc
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+
+@@ -1411,19 +1343,17 @@
+ insertOp(topLoc);
+
+ // Emit the STO_SP
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the SAVE_STATE
+ int32_t continueLoc = fRXPat->fCompiledPat->size()+1;
+- op = URX_BUILD(URX_STATE_SAVE, continueLoc);
++ op = buildOp(URX_STATE_SAVE, continueLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc+1);
+
+ // Emit the LD_SP
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+
+@@ -1480,8 +1410,8 @@
+ // is an '|' alternation within the parens.
+ {
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+ // of the two NOPs (a normal non-capturing () frame, except for the
+@@ -1818,7 +1748,6 @@
+ //
+ //------------------------------------------------------------------------------
+ void RegexCompile::fixLiterals(UBool split) {
+- int32_t op = 0; // An op from/for the compiled pattern.
+
+ // If no literal characters have been scanned but not yet had code generated
+ // for them, nothing needs to be done.
+@@ -1857,23 +1786,23 @@
+ // Single character, emit a URX_ONECHAR op to match it.
+ if ((fModeFlags & UREGEX_CASE_INSENSITIVE) &&
+ u_hasBinaryProperty(lastCodePoint, UCHAR_CASE_SENSITIVE)) {
+- op = URX_BUILD(URX_ONECHAR_I, lastCodePoint);
++ appendOp(URX_ONECHAR_I, lastCodePoint);
+ } else {
+- op = URX_BUILD(URX_ONECHAR, lastCodePoint);
++ appendOp(URX_ONECHAR, lastCodePoint);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ } else {
+ // Two or more chars, emit a URX_STRING to match them.
++ if (fLiteralChars.length() > 0x00ffffff || fRXPat->fLiteralText.length() > 0x00ffffff) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
+ if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+- op = URX_BUILD(URX_STRING_I, fRXPat->fLiteralText.length());
++ appendOp(URX_STRING_I, fRXPat->fLiteralText.length());
+ } else {
+ // TODO here: add optimization to split case sensitive strings of length two
+ // into two single char ops, for efficiency.
+- op = URX_BUILD(URX_STRING, fRXPat->fLiteralText.length());
++ appendOp(URX_STRING, fRXPat->fLiteralText.length());
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_STRING_LEN, fLiteralChars.length());
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_STRING_LEN, fLiteralChars.length());
+
+ // Add this string into the accumulated strings of the compiled pattern.
+ fRXPat->fLiteralText.append(fLiteralChars);
+@@ -1883,8 +1812,58 @@
+ }
+
+
++int32_t RegexCompile::buildOp(int32_t type, int32_t val) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (type < 0 || type > 255) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ type = URX_RESERVED_OP;
++ }
++ if (val > 0x00ffffff) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ val = 0;
++ }
++ if (val < 0) {
++ if (!(type == URX_RESERVED_OP_N || type == URX_RESERVED_OP)) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ return -1;
++ }
++ if (URX_TYPE(val) != 0xff) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ return -1;
++ }
++ type = URX_RESERVED_OP_N;
++ }
++ return (type << 24) | val;
++}
++
+
++//------------------------------------------------------------------------------
++//
++// appendOp() Append a new instruction onto the compiled pattern
++// Includes error checking, limiting the size of the
++// pattern to lengths that can be represented in the
++// 24 bit operand field of an instruction.
++//
++//------------------------------------------------------------------------------
++void RegexCompile::appendOp(int32_t op) {
++ if (U_FAILURE(*fStatus)) {
++ return;
++ }
++ fRXPat->fCompiledPat->addElement(op, *fStatus);
++ if ((fRXPat->fCompiledPat->size() > 0x00fffff0) && U_SUCCESS(*fStatus)) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
++}
+
++void RegexCompile::appendOp(int32_t type, int32_t val) {
++ appendOp(buildOp(type, val));
++}
+
+
+ //------------------------------------------------------------------------------
+@@ -1900,7 +1879,7 @@
+ UVector64 *code = fRXPat->fCompiledPat;
+ U_ASSERT(where>0 && where < code->size());
+
+- int32_t nop = URX_BUILD(URX_NOP, 0);
++ int32_t nop = buildOp(URX_NOP, 0);
+ code->insertElementAt(nop, where, *fStatus);
+
+ // Walk through the pattern, looking for any ops with targets that
+@@ -1921,7 +1900,7 @@
+ // Target location for this opcode is after the insertion point and
+ // needs to be incremented to adjust for the insertion.
+ opValue++;
+- op = URX_BUILD(opType, opValue);
++ op = buildOp(opType, opValue);
+ code->setElementAt(op, loc);
+ }
+ }
+@@ -1946,6 +1925,58 @@
+ }
+
+
++//------------------------------------------------------------------------------
++//
++// allocateData() Allocate storage in the matcher's static data area.
++// Return the index for the newly allocated data.
++// The storage won't actually exist until we are running a match
++// operation, but the storage indexes are inserted into various
++// opcodes while compiling the pattern.
++//
++//------------------------------------------------------------------------------
++int32_t RegexCompile::allocateData(int32_t size) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (size <= 0 || size > 0x100 || fRXPat->fDataSize < 0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ return 0;
++ }
++ int32_t dataIndex = fRXPat->fDataSize;
++ fRXPat->fDataSize += size;
++ if (fRXPat->fDataSize >= 0x00fffff0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ }
++ return dataIndex;
++}
++
++
++//------------------------------------------------------------------------------
++//
++// allocateStackData() Allocate space in the back-tracking stack frame.
++// Return the index for the newly allocated data.
++// The frame indexes are inserted into various
++// opcodes while compiling the pattern, meaning that frame
++// size must be restricted to the size that will fit
++// as an operand (24 bits).
++//
++//------------------------------------------------------------------------------
++int32_t RegexCompile::allocateStackData(int32_t size) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (size <= 0 || size > 0x100 || fRXPat->fFrameSize < 0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ return 0;
++ }
++ int32_t dataIndex = fRXPat->fFrameSize;
++ fRXPat->fFrameSize += size;
++ if (fRXPat->fFrameSize >= 0x00fffff0) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
++ return dataIndex;
++}
++
+
+ //------------------------------------------------------------------------------
+ //
+@@ -1988,7 +2019,7 @@
+ theLoc--;
+ }
+ if (reserveLoc) {
+- int32_t nop = URX_BUILD(URX_NOP, 0);
++ int32_t nop = buildOp(URX_NOP, 0);
+ fRXPat->fCompiledPat->insertElementAt(nop, theLoc, *fStatus);
+ }
+ }
+@@ -2063,8 +2094,7 @@
+ U_ASSERT(URX_TYPE(captureOp) == URX_START_CAPTURE);
+
+ int32_t frameVarLocation = URX_VAL(captureOp);
+- int32_t endCaptureOp = URX_BUILD(URX_END_CAPTURE, frameVarLocation);
+- fRXPat->fCompiledPat->addElement(endCaptureOp, *fStatus);
++ appendOp(URX_END_CAPTURE, frameVarLocation);
+ }
+ break;
+ case atomic:
+@@ -2075,8 +2105,7 @@
+ int32_t stoOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen+1);
+ U_ASSERT(URX_TYPE(stoOp) == URX_STO_SP);
+ int32_t stoLoc = URX_VAL(stoOp);
+- int32_t ldOp = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(ldOp, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+
+@@ -2085,8 +2114,7 @@
+ int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-5);
+ U_ASSERT(URX_TYPE(startOp) == URX_LA_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LA_END, dataLoc);
+ }
+ break;
+
+@@ -2096,19 +2124,16 @@
+ int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-1);
+ U_ASSERT(URX_TYPE(startOp) == URX_LA_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_BACKTRACK, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LA_END, dataLoc);
++ appendOp(URX_BACKTRACK, 0);
++ appendOp(URX_LA_END, dataLoc);
+
+ // Patch the URX_SAVE near the top of the block.
+ // The destination of the SAVE is the final LA_END that was just added.
+ int32_t saveOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen);
+ U_ASSERT(URX_TYPE(saveOp) == URX_STATE_SAVE);
+ int32_t dest = fRXPat->fCompiledPat->size()-1;
+- saveOp = URX_BUILD(URX_STATE_SAVE, dest);
++ saveOp = buildOp(URX_STATE_SAVE, dest);
+ fRXPat->fCompiledPat->setElementAt(saveOp, fMatchOpenParen);
+ }
+ break;
+@@ -2121,10 +2146,8 @@
+ int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-4);
+ U_ASSERT(URX_TYPE(startOp) == URX_LB_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LB_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_END, dataLoc);
++ appendOp(URX_LA_END, dataLoc);
+
+ // Determine the min and max bounds for the length of the
+ // string that the pattern can match.
+@@ -2160,8 +2183,7 @@
+ int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-5);
+ U_ASSERT(URX_TYPE(startOp) == URX_LB_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LBN_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LBN_END, dataLoc);
+
+ // Determine the min and max bounds for the length of the
+ // string that the pattern can match.
+@@ -2186,7 +2208,7 @@
+
+ // Insert the pattern location to continue at after a successful match
+ // as the last operand of the URX_LBN_CONT
+- op = URX_BUILD(URX_RELOC_OPRND, fRXPat->fCompiledPat->size());
++ int32_t op = buildOp(URX_RELOC_OPRND, fRXPat->fCompiledPat->size());
+ fRXPat->fCompiledPat->setElementAt(op, fMatchOpenParen-1);
+ }
+ break;
+@@ -2227,7 +2249,7 @@
+ case 0:
+ {
+ // Set of no elements. Always fails to match.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKTRACK, 0), *fStatus);
++ appendOp(URX_BACKTRACK, 0);
+ delete theSet;
+ }
+ break;
+@@ -2248,8 +2270,7 @@
+ // Put it into the compiled pattern as a set.
+ int32_t setNumber = fRXPat->fSets->size();
+ fRXPat->fSets->addElement(theSet, *fStatus);
+- int32_t setOp = URX_BUILD(URX_SETREF, setNumber);
+- fRXPat->fCompiledPat->addElement(setOp, *fStatus);
++ appendOp(URX_SETREF, setNumber);
+ }
+ }
+ }
+@@ -2288,13 +2309,10 @@
+ // counterLoc --> Loop counter
+ // +1 --> Input index (for breaking non-progressing loops)
+ // (Only present if unbounded upper limit on loop)
+- int32_t counterLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- if (fIntervalUpper < 0) {
+- fRXPat->fFrameSize++;
+- }
++ int32_t dataSize = fIntervalUpper < 0 ? 2 : 1;
++ int32_t counterLoc = allocateStackData(dataSize);
+
+- int32_t op = URX_BUILD(InitOp, counterLoc);
++ int32_t op = buildOp(InitOp, counterLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topOfBlock);
+
+ // The second operand of CTR_INIT is the location following the end of the loop.
+@@ -2302,7 +2320,7 @@
+ // compilation of something later on causes the code to grow and the target
+ // position to move.
+ int32_t loopEnd = fRXPat->fCompiledPat->size();
+- op = URX_BUILD(URX_RELOC_OPRND, loopEnd);
++ op = buildOp(URX_RELOC_OPRND, loopEnd);
+ fRXPat->fCompiledPat->setElementAt(op, topOfBlock+1);
+
+ // Followed by the min and max counts.
+@@ -2311,8 +2329,7 @@
+
+ // Apend the CTR_LOOP op. The operand is the location of the CTR_INIT op.
+ // Goes at end of the block being looped over, so just append to the code so far.
+- op = URX_BUILD(LoopOp, topOfBlock);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(LoopOp, topOfBlock);
+
+ if ((fIntervalLow & 0xff000000) != 0 ||
+ (fIntervalUpper > 0 && (fIntervalUpper & 0xff000000) != 0)) {
+@@ -2365,7 +2382,7 @@
+ //
+ int32_t endOfSequenceLoc = fRXPat->fCompiledPat->size()-1
+ + fIntervalUpper + (fIntervalUpper-fIntervalLow);
+- int32_t saveOp = URX_BUILD(URX_STATE_SAVE, endOfSequenceLoc);
++ int32_t saveOp = buildOp(URX_STATE_SAVE, endOfSequenceLoc);
+ if (fIntervalLow == 0) {
+ insertOp(topOfBlock);
+ fRXPat->fCompiledPat->setElementAt(saveOp, topOfBlock);
+@@ -2378,13 +2395,10 @@
+ // it was put there when it was originally encountered.
+ int32_t i;
+ for (i=1; i<fIntervalUpper; i++ ) {
+- if (i == fIntervalLow) {
+- fRXPat->fCompiledPat->addElement(saveOp, *fStatus);
+- }
+- if (i > fIntervalLow) {
+- fRXPat->fCompiledPat->addElement(saveOp, *fStatus);
++ if (i >= fIntervalLow) {
++ appendOp(saveOp);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(op);
+ }
+ return TRUE;
+ }
+@@ -3603,7 +3617,7 @@
+ int32_t operandAddress = URX_VAL(op);
+ U_ASSERT(operandAddress>=0 && operandAddress<deltas.size());
+ int32_t fixedOperandAddress = operandAddress - deltas.elementAti(operandAddress);
+- op = URX_BUILD(opType, fixedOperandAddress);
++ op = buildOp(opType, fixedOperandAddress);
+ fRXPat->fCompiledPat->setElementAt(op, dst);
+ dst++;
+ break;
+@@ -3618,7 +3632,7 @@
+ break;
+ }
+ where = fRXPat->fGroupMap->elementAti(where-1);
+- op = URX_BUILD(opType, where);
++ op = buildOp(opType, where);
+ fRXPat->fCompiledPat->setElementAt(op, dst);
+ dst++;
+
+@@ -3970,7 +3984,7 @@
+ //------------------------------------------------------------------------------
+ //
+ // scanNamedChar
+- // Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern.
++// Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern.
+ //
+ // The scan position will be at the 'N'. On return
+ // the scan position should be just after the '}'
+diff -ru icu/source/i18n/regexcmp.h icu/source/i18n/regexcmp.h
+--- icu/source/i18n/regexcmp.h 2015-04-10 15:27:31.370772856 +0200
++++ icu/source/i18n/regexcmp.h 2015-04-10 15:28:06.152993511 +0200
+@@ -104,6 +104,13 @@
+ void fixLiterals(UBool split=FALSE); // Generate code for pending literal characters.
+ void insertOp(int32_t where); // Open up a slot for a new op in the
+ // generated code at the specified location.
++ void appendOp(int32_t op); // Append a new op to the compiled pattern.
++ void appendOp(int32_t type, int32_t val); // Build & append a new op to the compiled pattern.
++ int32_t buildOp(int32_t type, int32_t val); // Construct a new pcode instruction.
++ int32_t allocateData(int32_t size); // Allocate space in the matcher data area.
++ // Return index of the newly allocated data.
++ int32_t allocateStackData(int32_t size); // Allocate space in the match back-track stack frame.
++ // Return offset index in the frame.
+ int32_t minMatchLength(int32_t start,
+ int32_t end);
+ int32_t maxMatchLength(int32_t start,
+diff -ru icu/source/i18n/regeximp.h icu/source/i18n/regeximp.h
+--- icu/source/i18n/regeximp.h 2014-10-03 18:10:44.000000000 +0200
++++ icu/source/i18n/regeximp.h 2015-04-10 15:28:06.153993517 +0200
+@@ -1,5 +1,5 @@
+ //
+-// Copyright (C) 2002-2013 International Business Machines Corporation
++// Copyright (C) 2002-2014 International Business Machines Corporation
+ // and others. All rights reserved.
+ //
+ // file: regeximp.h
+@@ -241,7 +241,6 @@
+ //
+ // Convenience macros for assembling and disassembling a compiled operation.
+ //
+-#define URX_BUILD(type, val) (int32_t)((type << 24) | (val))
+ #define URX_TYPE(x) ((uint32_t)(x) >> 24)
+ #define URX_VAL(x) ((x) & 0xffffff)
+
+diff -ru icu/source/test/intltest/regextst.cpp icu/source/test/intltest/regextst.cpp
+--- icu/source/test/intltest/regextst.cpp 2014-10-03 18:09:44.000000000 +0200
++++ icu/source/test/intltest/regextst.cpp 2015-04-10 15:28:06.154993523 +0200
+@@ -144,6 +144,9 @@
+ case 24: name = "TestBug11049";
+ if (exec) TestBug11049();
+ break;
++ case 25: name = "TestBug11371";
++ if (exec) TestBug11371();
++ break;
+ default: name = "";
+ break; //needed to end loop
+ }
+@@ -5367,6 +5370,49 @@
+ }
+
+
++void RegexTest::TestBug11371() {
++ if (quick) {
++ logln("Skipping test. Runs in exhuastive mode only.");
++ return;
++ }
++ UErrorCode status = U_ZERO_ERROR;
++ UnicodeString patternString;
++
++ for (int i=0; i<8000000; i++) {
++ patternString.append(UnicodeString("()"));
++ }
++ LocalPointer<RegexPattern> compiledPat(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++
++ status = U_ZERO_ERROR;
++ patternString = "(";
++ for (int i=0; i<20000000; i++) {
++ patternString.append(UnicodeString("A++"));
++ }
++ patternString.append(UnicodeString("){0}B++"));
++ LocalPointer<RegexPattern> compiledPat2(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++
++ // Pattern with too much string data, such that string indexes overflow operand data field size
++ // in compiled instruction.
++ status = U_ZERO_ERROR;
++ patternString = "";
++ while (patternString.length() < 0x00ffffff) {
++ patternString.append(UnicodeString("stuff and things dont you know, these are a few of my favorite strings\n"));
++ }
++ patternString.append(UnicodeString("X? trailing string"));
++ LocalPointer<RegexPattern> compiledPat3(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++}
+
+ #endif /* !UCONFIG_NO_REGULAR_EXPRESSIONS */
+
+diff -ru icu/source/test/intltest/regextst.h icu/source/test/intltest/regextst.h
+--- icu/source/test/intltest/regextst.h 2014-10-03 18:09:40.000000000 +0200
++++ icu/source/test/intltest/regextst.h 2015-04-10 15:28:06.154993523 +0200
+@@ -50,6 +50,7 @@
+ virtual void Bug10459();
+ virtual void TestCaseInsensitiveStarters();
+ virtual void TestBug11049();
++ virtual void TestBug11371();
+
+ // The following functions are internal to the regexp tests.
+ virtual void assertUText(const char *expected, UText *actual, const char *file, int line);
diff --git a/icu.spec b/icu.spec
index 0e8374e..2b06df8 100644
--- a/icu.spec
+++ b/icu.spec
@@ -1,6 +1,6 @@
Name: icu
Version: 54.1
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: International Components for Unicode
Group: Development/Tools
License: MIT and UCD and Public Domain
@@ -15,7 +15,10 @@ Patch2: icu.8800.freeserif.crash.patch
Patch3: icu.7601.Indic-ccmp.patch
Patch4: gennorm2-man.patch
Patch5: icuinfo-man.patch
-Patch6: icu.changeset_37086.patch
+Patch6: icu.changeset_36724.patch
+Patch7: icu.changeset_36727.patch
+Patch8: icu.changeset_36801.patch
+Patch9: icu.changeset_37086.patch
%description
Tools and utilities for developing with icu.
@@ -63,7 +66,10 @@ BuildArch: noarch
%patch3 -p1 -b .icu7601.Indic-ccmp.patch
%patch4 -p1 -b .gennorm2-man.patch
%patch5 -p1 -b .icuinfo-man.patch
-%patch6 -p1 -b .icu.changeset_37086.patch
+%patch6 -p1 -b .icu.changeset_36724.patch
+%patch7 -p1 -b .icu.changeset_36727.patch
+%patch8 -p1 -b .icu.changeset_36801.patch
+%patch9 -p1 -b .icu.changeset_37086.patch
%build
cd source
@@ -172,6 +178,9 @@ make %{?_smp_mflags} -C source check
%doc source/__docs/%{name}/html/*
%changelog
+* Fri Apr 10 2015 Eike Rathke <erack at redhat.com> - 54.1-3
+- Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654
+
* Mon Mar 09 2015 Eike Rathke <erack at redhat.com> - 54.1-2
- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/icu.git/commit/?h=f22&id=9270c935d93ca3c9c9f49bb5662677d3315a4822
More information about the scm-commits
mailing list