erack pushed to icu (f20). "Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591"
notifications at fedoraproject.org
notifications at fedoraproject.org
Fri Apr 10 17:54:30 UTC 2015
>From 25f62cfe2cac4bcf3bbdd16267b7d17ddff1821a Mon Sep 17 00:00:00 2001
From: Eike Rathke <erack at redhat.com>
Date: Fri, 10 Apr 2015 19:03:21 +0200
Subject: Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
diff --git a/icu.changeset_33835.patch b/icu.changeset_33835.patch
new file mode 100644
index 0000000..291531e
--- /dev/null
+++ b/icu.changeset_33835.patch
@@ -0,0 +1,147 @@
+Index: icu/source/i18n/regexcmp.cpp
+===================================================================
+--- icu/source/i18n/regexcmp.cpp (revision 33834)
++++ icu/source/i18n/regexcmp.cpp (revision 33835)
+@@ -2,5 +2,5 @@
+ // file: regexcmp.cpp
+ //
+-// Copyright (C) 2002-2012 International Business Machines Corporation and others.
++// Copyright (C) 2002-2013 International Business Machines Corporation and others.
+ // All Rights Reserved.
+ //
+@@ -3336,12 +3336,44 @@
+ case URX_CTR_INIT:
+ case URX_CTR_INIT_NG:
++ // For Loops, recursively call this function on the pattern for the loop body,
++ // then multiply the result by the maximum loop count.
++ {
++ int32_t loopEndLoc = URX_VAL(fRXPat->fCompiledPat->elementAti(loc+1));
++ if (loopEndLoc == loc+4) {
++ // Loop has an empty body. No affect on max match length.
++ // Continue processing with code after the loop end.
++ loc = loopEndLoc;
++ break;
++ }
++
++ int32_t maxLoopCount = fRXPat->fCompiledPat->elementAti(loc+3);
++ if (maxLoopCount == -1) {
++ // Unbounded Loop. No upper bound on match length.
++ currentLen = INT32_MAX;
++ break;
++ }
++
++ U_ASSERT(loopEndLoc >= loc+4);
++ int32_t blockLen = maxMatchLength(loc+4, loopEndLoc-1); // Recursive call.
++ if (blockLen == INT32_MAX) {
++ currentLen = blockLen;
++ break;
++ }
++ currentLen += blockLen * maxLoopCount;
++ loc = loopEndLoc;
++ break;
++ }
++
+ case URX_CTR_LOOP:
+ case URX_CTR_LOOP_NG:
++ // These opcodes will be skipped over by code for URX_CRT_INIT.
++ // We shouldn't encounter them here.
++ U_ASSERT(FALSE);
++ break;
++
+ case URX_LOOP_SR_I:
+ case URX_LOOP_DOT_I:
+ case URX_LOOP_C:
+ // For anything to do with loops, make the match length unbounded.
+- // Note: INIT instructions are multi-word. Can ignore because
+- // INT32_MAX length will stop the per-instruction loop.
+ currentLen = INT32_MAX;
+ break;
+Index: icu/source/i18n/rematch.cpp
+===================================================================
+--- icu/source/i18n/rematch.cpp (revision 33834)
++++ icu/source/i18n/rematch.cpp (revision 33835)
+@@ -1,5 +1,5 @@
+ /*
+ **************************************************************************
+-* Copyright (C) 2002-2012 International Business Machines Corporation *
++* Copyright (C) 2002-2013 International Business Machines Corporation *
+ * and others. All rights reserved. *
+ **************************************************************************
+@@ -2828,5 +2828,5 @@
+ if (fTraceDebug) {
+ UTEXT_SETNATIVEINDEX(fInputText, fp->fInputIdx);
+- printf("inputIdx=%d inputChar=%x sp=%3d activeLimit=%d ", fp->fInputIdx,
++ printf("inputIdx=%ld inputChar=%x sp=%3ld activeLimit=%ld ", fp->fInputIdx,
+ UTEXT_CURRENT32(fInputText), (int64_t *)fp-fStack->getBuffer(), fActiveLimit);
+ fPattern->dumpOp(fp->fPatIdx);
+@@ -3493,5 +3493,5 @@
+ U_ASSERT(minCount>=0);
+ U_ASSERT(maxCount>=minCount || maxCount==-1);
+- U_ASSERT(loopLoc>fp->fPatIdx);
++ U_ASSERT(loopLoc>=fp->fPatIdx);
+
+ if (minCount == 0) {
+@@ -4212,5 +4212,5 @@
+ fMatchEnd = fp->fInputIdx;
+ if (fTraceDebug) {
+- REGEX_RUN_DEBUG_PRINTF(("Match. start=%d end=%d\n\n", fMatchStart, fMatchEnd));
++ REGEX_RUN_DEBUG_PRINTF(("Match. start=%ld end=%ld\n\n", fMatchStart, fMatchEnd));
+ }
+ }
+@@ -4253,5 +4253,5 @@
+ if (fTraceDebug)
+ {
+- printf("MatchAt(startIdx=%ld)\n", startIdx);
++ printf("MatchAt(startIdx=%d)\n", startIdx);
+ printf("Original Pattern: ");
+ UChar32 c = utext_next32From(fPattern->fPattern, 0);
+@@ -4322,5 +4322,5 @@
+ if (fTraceDebug) {
+ UTEXT_SETNATIVEINDEX(fInputText, fp->fInputIdx);
+- printf("inputIdx=%d inputChar=%x sp=%3d activeLimit=%d ", fp->fInputIdx,
++ printf("inputIdx=%ld inputChar=%x sp=%3ld activeLimit=%ld ", fp->fInputIdx,
+ UTEXT_CURRENT32(fInputText), (int64_t *)fp-fStack->getBuffer(), fActiveLimit);
+ fPattern->dumpOp(fp->fPatIdx);
+@@ -4952,5 +4952,5 @@
+ U_ASSERT(minCount>=0);
+ U_ASSERT(maxCount>=minCount || maxCount==-1);
+- U_ASSERT(loopLoc>fp->fPatIdx);
++ U_ASSERT(loopLoc>=fp->fPatIdx);
+
+ if (minCount == 0) {
+@@ -5636,5 +5636,5 @@
+ fMatchEnd = fp->fInputIdx;
+ if (fTraceDebug) {
+- REGEX_RUN_DEBUG_PRINTF(("Match. start=%d end=%d\n\n", fMatchStart, fMatchEnd));
++ REGEX_RUN_DEBUG_PRINTF(("Match. start=%ld end=%ld\n\n", fMatchStart, fMatchEnd));
+ }
+ }
+Index: icu/source/test/testdata/regextst.txt
+===================================================================
+--- icu/source/test/testdata/regextst.txt (revision 33834)
++++ icu/source/test/testdata/regextst.txt (revision 33835)
+@@ -1,3 +1,3 @@
+-# Copyright (c) 2001-2012 International Business Machines
++# Copyright (c) 2001-2013 International Business Machines
+ # Corporation and others. All Rights Reserved.
+ #
+@@ -1146,4 +1146,19 @@
+
+ "(ab)?(?<=ab)cd|ef" i "<0><1>ab</1>cd</0>"
++
++# Bug 10024
++# Incorrect (unbounded) longest match length with {1, 20} style quantifiers.
++# Unbounded match is disallowed in look-behind expressions.
++# Max match length is used to limit where to check for look-behind matches.
++
++"(?<=a{1,5})bc" "aaaa<0>bc</0>def"
++"(?<=(?:aa){3,20})bc" "aaaaaa<0>bc</0>def"
++"(?<!abc {1,100}|def {1,100}|ghi {1,100})jkl" "def jkl"
++"(?<!abc {1,100}|def {1,100}|ghi {1,100})jkl" "rst <0>jkl</0>"
++"(?<=a{11})bc" "aaaaaaaaaaa<0>bc</0>"
++"(?<=a{11})bc" "aaaaaaaaaabc"
++"(?<=a{1,})bc" E "aaaa<0>bc</0>def" # U_REGEX_LOOK_BEHIND_LIMIT error.
++"(?<=(?:){11})bc" "<0>bc</0>" # Empty (?:) expression.
++
+
+ # Random debugging, Temporary
diff --git a/icu.changeset_36724.patch b/icu.changeset_36724.patch
new file mode 100644
index 0000000..76170dd
--- /dev/null
+++ b/icu.changeset_36724.patch
@@ -0,0 +1,37 @@
+diff -ru2 icu/source/i18n/regexcmp.cpp icu/source/i18n/regexcmp.cpp
+--- icu/source/i18n/regexcmp.cpp 2015-04-10 19:32:36.860386962 +0200
++++ icu/source/i18n/regexcmp.cpp 2015-04-10 19:33:02.938554233 +0200
+@@ -2134,4 +2134,8 @@
+ int32_t minML = minMatchLength(fMatchOpenParen, patEnd);
+ int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd);
++ if (URX_TYPE(maxML) != 0) {
++ error(U_REGEX_LOOK_BEHIND_LIMIT);
++ break;
++ }
+ if (maxML == INT32_MAX) {
+ error(U_REGEX_LOOK_BEHIND_LIMIT);
+@@ -2167,4 +2171,8 @@
+ int32_t minML = minMatchLength(fMatchOpenParen, patEnd);
+ int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd);
++ if (URX_TYPE(maxML) != 0) {
++ error(U_REGEX_LOOK_BEHIND_LIMIT);
++ break;
++ }
+ if (maxML == INT32_MAX) {
+ error(U_REGEX_LOOK_BEHIND_LIMIT);
+diff -ru2 icu/source/test/testdata/regextst.txt icu/source/test/testdata/regextst.txt
+--- icu/source/test/testdata/regextst.txt 2015-04-10 19:32:36.861386968 +0200
++++ icu/source/test/testdata/regextst.txt 2015-04-10 19:33:02.939554239 +0200
+@@ -1162,4 +1162,12 @@
+
+
++# Bug 11370
++# Max match length computation of look-behind expression gives result that is too big to fit in the
++# in the 24 bit operand portion of the compiled code. Expressions should fail to compile
++# (Look-behind match length must be bounded. This case is treated as unbounded, an error.)
++
++"(?<!(0123456789a){10000000})x" E "no match"
++"(?<!\\ubeaf(\\ubeaf{11000}){11000})" E "no match"
++
+ # Random debugging, Temporary
+ #
diff --git a/icu.changeset_36727.patch b/icu.changeset_36727.patch
new file mode 100644
index 0000000..8a8cc04
--- /dev/null
+++ b/icu.changeset_36727.patch
@@ -0,0 +1,52 @@
+diff -ru2 icu/source/i18n/regexcmp.cpp icu/source/i18n/regexcmp.cpp
+--- icu/source/i18n/regexcmp.cpp 2015-04-10 19:38:02.107473170 +0200
++++ icu/source/i18n/regexcmp.cpp 2015-04-10 19:38:16.016562386 +0200
+@@ -2330,5 +2330,13 @@
+ if (fIntervalUpper == 0) {
+ // Pathological case. Attempt no matches, as if the block doesn't exist.
++ // Discard the generated code for the block.
++ // If the block included parens, discard the info pertaining to them as well.
+ fRXPat->fCompiledPat->setSize(topOfBlock);
++ if (fMatchOpenParen >= topOfBlock) {
++ fMatchOpenParen = -1;
++ }
++ if (fMatchCloseParen >= topOfBlock) {
++ fMatchCloseParen = -1;
++ }
+ return TRUE;
+ }
+diff -ru2 icu/source/i18n/regexcmp.h icu/source/i18n/regexcmp.h
+--- icu/source/i18n/regexcmp.h 2013-01-11 01:22:40.000000000 +0100
++++ icu/source/i18n/regexcmp.h 2015-04-10 19:38:16.016562386 +0200
+@@ -183,5 +183,7 @@
+ // of the slot reserved for a state save
+ // at the start of the most recently processed
+- // parenthesized block.
++ // parenthesized block. Updated when processing
++ // a close to the location for the corresponding open.
++
+ int32_t fMatchCloseParen; // The position in the pattern of the first
+ // location after the most recently processed
+diff -ru2 icu/source/test/testdata/regextst.txt icu/source/test/testdata/regextst.txt
+--- icu/source/test/testdata/regextst.txt 2015-04-10 19:38:02.108473176 +0200
++++ icu/source/test/testdata/regextst.txt 2015-04-10 19:38:16.017562392 +0200
+@@ -1162,4 +1162,13 @@
+
+
++# Bug 11369
++# Incorrect optimization of patterns with a zero length quantifier {0}
++
++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE"
++"(|b)ab(c)" "<0><1></1>ab<2>c</2></0>"
++"(|b){0}a{3}(D*)" "<0>aaa<2></2></0>"
++"(|b){0,1}a{3}(D*)" "<0><1></1>aaa<2></2></0>"
++"((|b){0})a{3}(D*)" "<0><1></1>aaa<3></3></0>"
++
+ # Bug 11370
+ # Max match length computation of look-behind expression gives result that is too big to fit in the
+@@ -1170,4 +1179,5 @@
+ "(?<!\\ubeaf(\\ubeaf{11000}){11000})" E "no match"
+
++
+ # Random debugging, Temporary
+ #
diff --git a/icu.changeset_36801.patch b/icu.changeset_36801.patch
new file mode 100644
index 0000000..338b401
--- /dev/null
+++ b/icu.changeset_36801.patch
@@ -0,0 +1,1082 @@
+diff -ru2 1.icu/source/common/unicode/utypes.h 2.icu/source/common/unicode/utypes.h
+--- 1.icu/source/common/unicode/utypes.h 2013-01-11 01:23:12.000000000 +0100
++++ 2.icu/source/common/unicode/utypes.h 2015-04-10 19:39:47.693150420 +0200
+@@ -648,4 +648,5 @@
+ U_REGEX_TIME_OUT, /**< Maximum allowed match time exceeded */
+ U_REGEX_STOPPED_BY_CALLER, /**< Matching operation aborted by user callback fn. */
++ U_REGEX_PATTERN_TOO_BIG, /**< Pattern exceeds limits on size or complexity. @draft ICU 55 */
+ U_REGEX_ERROR_LIMIT, /**< This must always be the last value to indicate the limit for regexp errors */
+
+diff -ru2 1.icu/source/common/utypes.c 2.icu/source/common/utypes.c
+--- 1.icu/source/common/utypes.c 2013-01-11 01:23:22.000000000 +0100
++++ 2.icu/source/common/utypes.c 2015-04-10 19:39:47.694150427 +0200
+@@ -2,5 +2,5 @@
+ ******************************************************************************
+ *
+-* Copyright (C) 1997-2011, International Business Machines
++* Copyright (C) 1997-2014, International Business Machines
+ * Corporation and others. All Rights Reserved.
+ *
+@@ -166,5 +166,6 @@
+ "U_REGEX_STACK_OVERFLOW",
+ "U_REGEX_TIME_OUT",
+- "U_REGEX_STOPPED_BY_CALLER"
++ "U_REGEX_STOPPED_BY_CALLER",
++ "U_REGEX_PATTERN_TOO_BIG"
+ };
+
+diff -ru2 1.icu/source/i18n/regexcmp.cpp 2.icu/source/i18n/regexcmp.cpp
+--- 1.icu/source/i18n/regexcmp.cpp 2015-04-10 19:39:22.736990346 +0200
++++ 2.icu/source/i18n/regexcmp.cpp 2015-04-10 19:42:21.273135514 +0200
+@@ -303,5 +303,5 @@
+ // the position in the compiled pattern.
+ //
+- fRXPat->fFrameSize+=RESTACKFRAME_HDRCOUNT;
++ allocateStackData(RESTACKFRAME_HDRCOUNT);
+
+ //
+@@ -369,7 +369,7 @@
+ //4 NOP Resreved, will be replaced by a save if there are
+ // OR | operators at the top level
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_STATE_SAVE, 2), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_JMP, 3), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_FAIL, 0), *fStatus);
++ appendOp(URX_STATE_SAVE, 2);
++ appendOp(URX_JMP, 3);
++ appendOp(URX_FAIL, 0);
+
+ // Standard open nonCapture paren action emits the two NOPs and
+@@ -394,5 +394,5 @@
+
+ // add the END operation to the compiled pattern.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_END, 0), *fStatus);
++ appendOp(URX_END, 0);
+
+ // Terminate the pattern compilation state machine.
+@@ -416,5 +416,5 @@
+ int32_t op = (int32_t)fRXPat->fCompiledPat->elementAti(savePosition);
+ U_ASSERT(URX_TYPE(op) == URX_NOP); // original contents of reserved location
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1);
++ op = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1);
+ fRXPat->fCompiledPat->setElementAt(op, savePosition);
+
+@@ -422,6 +422,5 @@
+ // the JMP will eventually be the location following the ')' for the
+ // group. This will be patched in later, when the ')' is encountered.
+- op = URX_BUILD(URX_JMP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, 0);
+
+ // Push the position of the newly added JMP op onto the parentheses stack.
+@@ -432,5 +431,5 @@
+ // for a SAVE in the event that there is yet another '|' following
+ // this one.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
+ fParenStack.push(fRXPat->fCompiledPat->size()-1, *fStatus);
+ }
+@@ -458,10 +457,8 @@
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- int32_t varsLoc = fRXPat->fFrameSize; // Reserve three slots in match stack frame.
+- fRXPat->fFrameSize += 3;
+- int32_t cop = URX_BUILD(URX_START_CAPTURE, varsLoc);
+- fRXPat->fCompiledPat->addElement(cop, *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ int32_t varsLoc = allocateStackData(3); // Reserve three slots in match stack frame.
++ appendOp(URX_START_CAPTURE, varsLoc);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -488,6 +485,6 @@
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -511,10 +508,8 @@
+ {
+ fixLiterals();
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the
+- fRXPat->fDataSize += 1; // state stack ptr.
+- int32_t stoOp = URX_BUILD(URX_STO_SP, varLoc);
+- fRXPat->fCompiledPat->addElement(stoOp, *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the state stack ptr.
++ appendOp(URX_STO_SP, varLoc);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -559,24 +554,12 @@
+ {
+ fixLiterals();
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 2;
+- int32_t op = URX_BUILD(URX_LA_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_JMP, fRXPat->fCompiledPat->size()+ 3);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_BACKTRACK, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ int32_t dataLoc = allocateData(2);
++ appendOp(URX_LA_START, dataLoc);
++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2);
++ appendOp(URX_JMP, fRXPat->fCompiledPat->size()+ 3);
++ appendOp(URX_LA_END, dataLoc);
++ appendOp(URX_BACKTRACK, 0);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -603,14 +586,8 @@
+ {
+ fixLiterals();
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 2;
+- int32_t op = URX_BUILD(URX_LA_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_STATE_SAVE, 0); // dest address will be patched later.
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+-
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ int32_t dataLoc = allocateData(2);
++ appendOp(URX_LA_START, dataLoc);
++ appendOp(URX_STATE_SAVE, 0); // dest address will be patched later.
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -650,21 +627,17 @@
+
+ // Allocate data space
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 4;
++ int32_t dataLoc = allocateData(4);
+
+ // Emit URX_LB_START
+- int32_t op = URX_BUILD(URX_LB_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_START, dataLoc);
+
+ // Emit URX_LB_CONT
+- op = URX_BUILD(URX_LB_CONT, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later.
+-
+- // Emit the NOP
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_CONT, dataLoc);
++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later.
++
++ // Emit the NOPs
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -706,22 +679,18 @@
+
+ // Allocate data space
+- int32_t dataLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize += 4;
++ int32_t dataLoc = allocateData(4);
+
+ // Emit URX_LB_START
+- int32_t op = URX_BUILD(URX_LB_START, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_START, dataLoc);
+
+ // Emit URX_LBN_CONT
+- op = URX_BUILD(URX_LBN_CONT, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later.
+- fRXPat->fCompiledPat->addElement(0, *fStatus); // Continue Loc. To be filled later.
+-
+- // Emit the NOP
+- op = URX_BUILD(URX_NOP, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LBN_CONT, dataLoc);
++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later.
++ appendOp(URX_RESERVED_OP, 0); // Continue Loc. To be filled later.
++
++ // Emit the NOPs
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -793,10 +762,7 @@
+ if (URX_TYPE(repeatedOp) == URX_SETREF) {
+ // Emit optimized code for [char set]+
+- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp));
+- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ appendOp(URX_LOOP_SR_I, URX_VAL(repeatedOp));
++ frameLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, frameLoc);
+ break;
+ }
+@@ -806,5 +772,5 @@
+ URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) {
+ // Emit Optimized code for .+ operations.
+- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0);
++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0);
+ if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) {
+ // URX_LOOP_DOT_I operand is a flag indicating ". matches any" mode.
+@@ -814,9 +780,7 @@
+ loopOpI |= 2;
+ }
+- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ appendOp(loopOpI);
++ frameLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, frameLoc);
+ break;
+ }
+@@ -832,16 +796,13 @@
+ // Emit the code sequence that can handle it.
+ insertOp(topLoc);
+- frameLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
++ frameLoc = allocateStackData(1);
+
+- int32_t op = URX_BUILD(URX_STO_INP_LOC, frameLoc);
++ int32_t op = buildOp(URX_STO_INP_LOC, frameLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+- op = URX_BUILD(URX_JMP_SAV_X, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP_SAV_X, topLoc+1);
+ } else {
+ // Simpler code when the repeated body must match something non-empty
+- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, topLoc);
+- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus);
++ appendOp(URX_JMP_SAV, topLoc);
+ }
+ }
+@@ -855,6 +816,5 @@
+ {
+ int32_t topLoc = blockTopLoc(FALSE);
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, topLoc);
+- fRXPat->fCompiledPat->addElement(saveStateOp, *fStatus);
++ appendOp(URX_STATE_SAVE, topLoc);
+ }
+ break;
+@@ -870,5 +830,5 @@
+ {
+ int32_t saveStateLoc = blockTopLoc(TRUE);
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size());
++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size());
+ fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc);
+ }
+@@ -889,12 +849,10 @@
+ int32_t jmp2_loc = fRXPat->fCompiledPat->size();
+
+- int32_t jmp1_op = URX_BUILD(URX_JMP, jmp2_loc+1);
++ int32_t jmp1_op = buildOp(URX_JMP, jmp2_loc+1);
+ fRXPat->fCompiledPat->setElementAt(jmp1_op, jmp1_loc);
+
+- int32_t jmp2_op = URX_BUILD(URX_JMP, jmp2_loc+2);
+- fRXPat->fCompiledPat->addElement(jmp2_op, *fStatus);
++ appendOp(URX_JMP, jmp2_loc+2);
+
+- int32_t save_op = URX_BUILD(URX_STATE_SAVE, jmp1_loc+1);
+- fRXPat->fCompiledPat->addElement(save_op, *fStatus);
++ appendOp(URX_STATE_SAVE, jmp1_loc+1);
+ }
+ break;
+@@ -936,10 +894,8 @@
+ if (URX_TYPE(repeatedOp) == URX_SETREF) {
+ // Emit optimized code for a [char set]*
+- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp));
++ int32_t loopOpI = buildOp(URX_LOOP_SR_I, URX_VAL(repeatedOp));
+ fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ dataLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, dataLoc);
+ break;
+ }
+@@ -949,5 +905,5 @@
+ URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) {
+ // Emit Optimized code for .* operations.
+- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0);
++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0);
+ if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) {
+ // URX_LOOP_DOT_I operand is a flag indicating . matches any mode.
+@@ -958,8 +914,6 @@
+ }
+ fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
+- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc);
+- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus);
++ dataLoc = allocateStackData(1);
++ appendOp(URX_LOOP_C, dataLoc);
+ break;
+ }
+@@ -970,5 +924,5 @@
+
+ int32_t saveStateLoc = blockTopLoc(TRUE);
+- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, saveStateLoc+1);
++ int32_t jmpOp = buildOp(URX_JMP_SAV, saveStateLoc+1);
+
+ // Check for minimum match length of zero, which requires
+@@ -976,10 +930,9 @@
+ if (minMatchLength(saveStateLoc, fRXPat->fCompiledPat->size()-1) == 0) {
+ insertOp(saveStateLoc);
+- dataLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
++ dataLoc = allocateStackData(1);
+
+- int32_t op = URX_BUILD(URX_STO_INP_LOC, dataLoc);
++ int32_t op = buildOp(URX_STO_INP_LOC, dataLoc);
+ fRXPat->fCompiledPat->setElementAt(op, saveStateLoc+1);
+- jmpOp = URX_BUILD(URX_JMP_SAV_X, saveStateLoc+2);
++ jmpOp = buildOp(URX_JMP_SAV_X, saveStateLoc+2);
+ }
+
+@@ -988,10 +941,10 @@
+ int32_t continueLoc = fRXPat->fCompiledPat->size()+1;
+
+- // Put together the save state op store it into the compiled code.
+- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, continueLoc);
++ // Put together the save state op and store it into the compiled code.
++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, continueLoc);
+ fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc);
+
+ // Append the URX_JMP_SAV or URX_JMPX operation to the compiled pattern.
+- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus);
++ appendOp(jmpOp);
+ }
+ break;
+@@ -1007,8 +960,7 @@
+ int32_t jmpLoc = blockTopLoc(TRUE); // loc 1.
+ int32_t saveLoc = fRXPat->fCompiledPat->size(); // loc 3.
+- int32_t jmpOp = URX_BUILD(URX_JMP, saveLoc);
+- int32_t stateSaveOp = URX_BUILD(URX_STATE_SAVE, jmpLoc+1);
++ int32_t jmpOp = buildOp(URX_JMP, saveLoc);
+ fRXPat->fCompiledPat->setElementAt(jmpOp, jmpLoc);
+- fRXPat->fCompiledPat->addElement(stateSaveOp, *fStatus);
++ appendOp(URX_STATE_SAVE, jmpLoc+1);
+ }
+ break;
+@@ -1079,7 +1031,7 @@
+ // First the STO_SP before the start of the loop
+ insertOp(topLoc);
+- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the
+- fRXPat->fDataSize += 1; // state stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, varLoc);
++
++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the
++ int32_t op = buildOp(URX_STO_SP, varLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+@@ -1090,6 +1042,5 @@
+
+ // Then the LD_SP after the end of the loop
+- op = URX_BUILD(URX_LD_SP, varLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, varLoc);
+ }
+
+@@ -1127,13 +1078,11 @@
+ {
+ fixLiterals(FALSE);
+- int32_t op;
+ if (fModeFlags & UREGEX_DOTALL) {
+- op = URX_BUILD(URX_DOTANY_ALL, 0);
++ appendOp(URX_DOTANY_ALL, 0);
+ } else if (fModeFlags & UREGEX_UNIX_LINES) {
+- op = URX_BUILD(URX_DOTANY_UNIX, 0);
++ appendOp(URX_DOTANY_UNIX, 0);
+ } else {
+- op = URX_BUILD(URX_DOTANY, 0);
++ appendOp(URX_DOTANY, 0);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+ break;
+@@ -1142,15 +1091,13 @@
+ {
+ fixLiterals(FALSE);
+- int32_t op = 0;
+ if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_CARET;
++ appendOp(URX_CARET, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_CARET_M;
++ appendOp(URX_CARET_M, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_CARET; // Only testing true start of input.
++ appendOp(URX_CARET, 0); // Only testing true start of input.
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_CARET_M_UNIX;
++ appendOp(URX_CARET_M_UNIX, 0);
+ }
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
+ }
+ break;
+@@ -1159,15 +1106,13 @@
+ {
+ fixLiterals(FALSE);
+- int32_t op = 0;
+ if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_DOLLAR;
++ appendOp(URX_DOLLAR, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) {
+- op = URX_DOLLAR_M;
++ appendOp(URX_DOLLAR_M, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_DOLLAR_D;
++ appendOp(URX_DOLLAR_D, 0);
+ } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) {
+- op = URX_DOLLAR_MD;
++ appendOp(URX_DOLLAR_MD, 0);
+ }
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
+ }
+ break;
+@@ -1175,5 +1120,5 @@
+ case doBackslashA:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_CARET, 0), *fStatus);
++ appendOp(URX_CARET, 0);
+ break;
+
+@@ -1187,5 +1132,5 @@
+ fixLiterals(FALSE);
+ int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B;
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 1), *fStatus);
++ appendOp(op, 1);
+ }
+ break;
+@@ -1200,5 +1145,5 @@
+ fixLiterals(FALSE);
+ int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B;
+- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus);
++ appendOp(op, 0);
+ }
+ break;
+@@ -1206,44 +1151,40 @@
+ case doBackslashD:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 1), *fStatus);
++ appendOp(URX_BACKSLASH_D, 1);
+ break;
+
+ case doBackslashd:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 0), *fStatus);
++ appendOp(URX_BACKSLASH_D, 0);
+ break;
+
+ case doBackslashG:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_G, 0), *fStatus);
++ appendOp(URX_BACKSLASH_G, 0);
+ break;
+
+ case doBackslashS:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STAT_SETREF_N, URX_ISSPACE_SET), *fStatus);
++ appendOp(URX_STAT_SETREF_N, URX_ISSPACE_SET);
+ break;
+
+ case doBackslashs:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STATIC_SETREF, URX_ISSPACE_SET), *fStatus);
++ appendOp(URX_STATIC_SETREF, URX_ISSPACE_SET);
+ break;
+
+ case doBackslashW:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STAT_SETREF_N, URX_ISWORD_SET), *fStatus);
++ appendOp(URX_STAT_SETREF_N, URX_ISWORD_SET);
+ break;
+
+ case doBackslashw:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(
+- URX_BUILD(URX_STATIC_SETREF, URX_ISWORD_SET), *fStatus);
++ appendOp(URX_STATIC_SETREF, URX_ISWORD_SET);
+ break;
+
+ case doBackslashX:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_X, 0), *fStatus);
++ appendOp(URX_BACKSLASH_X, 0);
+ break;
+
+@@ -1251,10 +1192,10 @@
+ case doBackslashZ:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_DOLLAR, 0), *fStatus);
++ appendOp(URX_DOLLAR, 0);
+ break;
+
+ case doBackslashz:
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_Z, 0), *fStatus);
++ appendOp(URX_BACKSLASH_Z, 0);
+ break;
+
+@@ -1316,11 +1257,9 @@
+ // and shouldn't enter this code path at all.
+ fixLiterals(FALSE);
+- int32_t op;
+ if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+- op = URX_BUILD(URX_BACKREF_I, groupNum);
++ appendOp(URX_BACKREF_I, groupNum);
+ } else {
+- op = URX_BUILD(URX_BACKREF, groupNum);
++ appendOp(URX_BACKREF, groupNum);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ }
+ break;
+@@ -1343,20 +1282,16 @@
+ // Emit the STO_SP
+ int32_t topLoc = blockTopLoc(TRUE);
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the STATE_SAVE
+- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2);
+
+ // Emit the JMP
+- op = URX_BUILD(URX_JMP, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, topLoc+1);
+
+ // Emit the LD_SP
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+@@ -1378,21 +1313,18 @@
+
+ // emit STO_SP loc
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the SAVE_STATE 5
+ int32_t L7 = fRXPat->fCompiledPat->size()+1;
+- op = URX_BUILD(URX_STATE_SAVE, L7);
++ op = buildOp(URX_STATE_SAVE, L7);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc+1);
+
+ // Append the JMP operation.
+- op = URX_BUILD(URX_JMP, topLoc+1);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_JMP, topLoc+1);
+
+ // Emit the LD_SP loc
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+@@ -1413,17 +1345,15 @@
+
+ // Emit the STO_SP
+- int32_t stoLoc = fRXPat->fDataSize;
+- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr.
+- int32_t op = URX_BUILD(URX_STO_SP, stoLoc);
++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr.
++ int32_t op = buildOp(URX_STO_SP, stoLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc);
+
+ // Emit the SAVE_STATE
+ int32_t continueLoc = fRXPat->fCompiledPat->size()+1;
+- op = URX_BUILD(URX_STATE_SAVE, continueLoc);
++ op = buildOp(URX_STATE_SAVE, continueLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topLoc+1);
+
+ // Emit the LD_SP
+- op = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+@@ -1482,6 +1412,6 @@
+ {
+ fixLiterals(FALSE);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus);
++ appendOp(URX_NOP, 0);
++ appendOp(URX_NOP, 0);
+
+ // On the Parentheses stack, start a new frame and add the postions
+@@ -1820,5 +1750,4 @@
+ //------------------------------------------------------------------------------
+ void RegexCompile::fixLiterals(UBool split) {
+- int32_t op = 0; // An op from/for the compiled pattern.
+
+ // If no literal characters have been scanned but not yet had code generated
+@@ -1859,21 +1788,21 @@
+ if ((fModeFlags & UREGEX_CASE_INSENSITIVE) &&
+ u_hasBinaryProperty(lastCodePoint, UCHAR_CASE_SENSITIVE)) {
+- op = URX_BUILD(URX_ONECHAR_I, lastCodePoint);
++ appendOp(URX_ONECHAR_I, lastCodePoint);
+ } else {
+- op = URX_BUILD(URX_ONECHAR, lastCodePoint);
++ appendOp(URX_ONECHAR, lastCodePoint);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+ } else {
+ // Two or more chars, emit a URX_STRING to match them.
++ if (fLiteralChars.length() > 0x00ffffff || fRXPat->fLiteralText.length() > 0x00ffffff) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
+ if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+- op = URX_BUILD(URX_STRING_I, fRXPat->fLiteralText.length());
++ appendOp(URX_STRING_I, fRXPat->fLiteralText.length());
+ } else {
+ // TODO here: add optimization to split case sensitive strings of length two
+ // into two single char ops, for efficiency.
+- op = URX_BUILD(URX_STRING, fRXPat->fLiteralText.length());
++ appendOp(URX_STRING, fRXPat->fLiteralText.length());
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_STRING_LEN, fLiteralChars.length());
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_STRING_LEN, fLiteralChars.length());
+
+ // Add this string into the accumulated strings of the compiled pattern.
+@@ -1885,6 +1814,56 @@
+
+
++int32_t RegexCompile::buildOp(int32_t type, int32_t val) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (type < 0 || type > 255) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ type = URX_RESERVED_OP;
++ }
++ if (val > 0x00ffffff) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ val = 0;
++ }
++ if (val < 0) {
++ if (!(type == URX_RESERVED_OP_N || type == URX_RESERVED_OP)) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ return -1;
++ }
++ if (URX_TYPE(val) != 0xff) {
++ U_ASSERT(FALSE);
++ error(U_REGEX_INTERNAL_ERROR);
++ return -1;
++ }
++ type = URX_RESERVED_OP_N;
++ }
++ return (type << 24) | val;
++}
+
+
++//------------------------------------------------------------------------------
++//
++// appendOp() Append a new instruction onto the compiled pattern
++// Includes error checking, limiting the size of the
++// pattern to lengths that can be represented in the
++// 24 bit operand field of an instruction.
++//
++//------------------------------------------------------------------------------
++void RegexCompile::appendOp(int32_t op) {
++ if (U_FAILURE(*fStatus)) {
++ return;
++ }
++ fRXPat->fCompiledPat->addElement(op, *fStatus);
++ if ((fRXPat->fCompiledPat->size() > 0x00fffff0) && U_SUCCESS(*fStatus)) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
++}
++
++void RegexCompile::appendOp(int32_t type, int32_t val) {
++ appendOp(buildOp(type, val));
++}
+
+
+@@ -1902,5 +1881,5 @@
+ U_ASSERT(where>0 && where < code->size());
+
+- int32_t nop = URX_BUILD(URX_NOP, 0);
++ int32_t nop = buildOp(URX_NOP, 0);
+ code->insertElementAt(nop, where, *fStatus);
+
+@@ -1923,5 +1902,5 @@
+ // needs to be incremented to adjust for the insertion.
+ opValue++;
+- op = URX_BUILD(opType, opValue);
++ op = buildOp(opType, opValue);
+ code->setElementAt(op, loc);
+ }
+@@ -1948,4 +1927,56 @@
+
+
++//------------------------------------------------------------------------------
++//
++// allocateData() Allocate storage in the matcher's static data area.
++// Return the index for the newly allocated data.
++// The storage won't actually exist until we are running a match
++// operation, but the storage indexes are inserted into various
++// opcodes while compiling the pattern.
++//
++//------------------------------------------------------------------------------
++int32_t RegexCompile::allocateData(int32_t size) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (size <= 0 || size > 0x100 || fRXPat->fDataSize < 0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ return 0;
++ }
++ int32_t dataIndex = fRXPat->fDataSize;
++ fRXPat->fDataSize += size;
++ if (fRXPat->fDataSize >= 0x00fffff0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ }
++ return dataIndex;
++}
++
++
++//------------------------------------------------------------------------------
++//
++// allocateStackData() Allocate space in the back-tracking stack frame.
++// Return the index for the newly allocated data.
++// The frame indexes are inserted into various
++// opcodes while compiling the pattern, meaning that frame
++// size must be restricted to the size that will fit
++// as an operand (24 bits).
++//
++//------------------------------------------------------------------------------
++int32_t RegexCompile::allocateStackData(int32_t size) {
++ if (U_FAILURE(*fStatus)) {
++ return 0;
++ }
++ if (size <= 0 || size > 0x100 || fRXPat->fFrameSize < 0) {
++ error(U_REGEX_INTERNAL_ERROR);
++ return 0;
++ }
++ int32_t dataIndex = fRXPat->fFrameSize;
++ fRXPat->fFrameSize += size;
++ if (fRXPat->fFrameSize >= 0x00fffff0) {
++ error(U_REGEX_PATTERN_TOO_BIG);
++ }
++ return dataIndex;
++}
++
+
+ //------------------------------------------------------------------------------
+@@ -1990,5 +2021,5 @@
+ }
+ if (reserveLoc) {
+- int32_t nop = URX_BUILD(URX_NOP, 0);
++ int32_t nop = buildOp(URX_NOP, 0);
+ fRXPat->fCompiledPat->insertElementAt(nop, theLoc, *fStatus);
+ }
+@@ -2065,6 +2096,5 @@
+
+ int32_t frameVarLocation = URX_VAL(captureOp);
+- int32_t endCaptureOp = URX_BUILD(URX_END_CAPTURE, frameVarLocation);
+- fRXPat->fCompiledPat->addElement(endCaptureOp, *fStatus);
++ appendOp(URX_END_CAPTURE, frameVarLocation);
+ }
+ break;
+@@ -2077,6 +2107,5 @@
+ U_ASSERT(URX_TYPE(stoOp) == URX_STO_SP);
+ int32_t stoLoc = URX_VAL(stoOp);
+- int32_t ldOp = URX_BUILD(URX_LD_SP, stoLoc);
+- fRXPat->fCompiledPat->addElement(ldOp, *fStatus);
++ appendOp(URX_LD_SP, stoLoc);
+ }
+ break;
+@@ -2087,6 +2116,5 @@
+ U_ASSERT(URX_TYPE(startOp) == URX_LA_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LA_END, dataLoc);
+ }
+ break;
+@@ -2098,10 +2126,7 @@
+ U_ASSERT(URX_TYPE(startOp) == URX_LA_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_BACKTRACK, 0);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LA_END, dataLoc);
++ appendOp(URX_BACKTRACK, 0);
++ appendOp(URX_LA_END, dataLoc);
+
+ // Patch the URX_SAVE near the top of the block.
+@@ -2110,5 +2135,5 @@
+ U_ASSERT(URX_TYPE(saveOp) == URX_STATE_SAVE);
+ int32_t dest = fRXPat->fCompiledPat->size()-1;
+- saveOp = URX_BUILD(URX_STATE_SAVE, dest);
++ saveOp = buildOp(URX_STATE_SAVE, dest);
+ fRXPat->fCompiledPat->setElementAt(saveOp, fMatchOpenParen);
+ }
+@@ -2123,8 +2148,6 @@
+ U_ASSERT(URX_TYPE(startOp) == URX_LB_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LB_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
+- op = URX_BUILD(URX_LA_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LB_END, dataLoc);
++ appendOp(URX_LA_END, dataLoc);
+
+ // Determine the min and max bounds for the length of the
+@@ -2162,6 +2185,5 @@
+ U_ASSERT(URX_TYPE(startOp) == URX_LB_START);
+ int32_t dataLoc = URX_VAL(startOp);
+- int32_t op = URX_BUILD(URX_LBN_END, dataLoc);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(URX_LBN_END, dataLoc);
+
+ // Determine the min and max bounds for the length of the
+@@ -2188,5 +2210,5 @@
+ // Insert the pattern location to continue at after a successful match
+ // as the last operand of the URX_LBN_CONT
+- op = URX_BUILD(URX_RELOC_OPRND, fRXPat->fCompiledPat->size());
++ int32_t op = buildOp(URX_RELOC_OPRND, fRXPat->fCompiledPat->size());
+ fRXPat->fCompiledPat->setElementAt(op, fMatchOpenParen-1);
+ }
+@@ -2229,5 +2251,5 @@
+ {
+ // Set of no elements. Always fails to match.
+- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKTRACK, 0), *fStatus);
++ appendOp(URX_BACKTRACK, 0);
+ delete theSet;
+ }
+@@ -2250,6 +2272,5 @@
+ int32_t setNumber = fRXPat->fSets->size();
+ fRXPat->fSets->addElement(theSet, *fStatus);
+- int32_t setOp = URX_BUILD(URX_SETREF, setNumber);
+- fRXPat->fCompiledPat->addElement(setOp, *fStatus);
++ appendOp(URX_SETREF, setNumber);
+ }
+ }
+@@ -2285,8 +2306,8 @@
+ // The operands for the CTR_INIT opcode include the index in the matcher data
+ // of the counter. Allocate it now.
+- int32_t counterLoc = fRXPat->fFrameSize;
+- fRXPat->fFrameSize++;
++ int32_t dataSize = fIntervalUpper < 0 ? 2 : 1;
++ int32_t counterLoc = allocateStackData(dataSize);
+
+- int32_t op = URX_BUILD(InitOp, counterLoc);
++ int32_t op = buildOp(InitOp, counterLoc);
+ fRXPat->fCompiledPat->setElementAt(op, topOfBlock);
+
+@@ -2296,5 +2317,5 @@
+ // position to move.
+ int32_t loopEnd = fRXPat->fCompiledPat->size();
+- op = URX_BUILD(URX_RELOC_OPRND, loopEnd);
++ op = buildOp(URX_RELOC_OPRND, loopEnd);
+ fRXPat->fCompiledPat->setElementAt(op, topOfBlock+1);
+
+@@ -2305,6 +2326,5 @@
+ // Apend the CTR_LOOP op. The operand is the location of the CTR_INIT op.
+ // Goes at end of the block being looped over, so just append to the code so far.
+- op = URX_BUILD(LoopOp, topOfBlock);
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(LoopOp, topOfBlock);
+
+ if ((fIntervalLow & 0xff000000) != 0 ||
+@@ -2359,5 +2379,5 @@
+ int32_t endOfSequenceLoc = fRXPat->fCompiledPat->size()-1
+ + fIntervalUpper + (fIntervalUpper-fIntervalLow);
+- int32_t saveOp = URX_BUILD(URX_STATE_SAVE, endOfSequenceLoc);
++ int32_t saveOp = buildOp(URX_STATE_SAVE, endOfSequenceLoc);
+ if (fIntervalLow == 0) {
+ insertOp(topOfBlock);
+@@ -2372,11 +2392,8 @@
+ int32_t i;
+ for (i=1; i<fIntervalUpper; i++ ) {
+- if (i == fIntervalLow) {
+- fRXPat->fCompiledPat->addElement(saveOp, *fStatus);
+- }
+- if (i > fIntervalLow) {
+- fRXPat->fCompiledPat->addElement(saveOp, *fStatus);
++ if (i >= fIntervalLow) {
++ appendOp(saveOp);
+ }
+- fRXPat->fCompiledPat->addElement(op, *fStatus);
++ appendOp(op);
+ }
+ return TRUE;
+@@ -3509,5 +3526,5 @@
+ U_ASSERT(operandAddress>=0 && operandAddress<deltas.size());
+ int32_t fixedOperandAddress = operandAddress - deltas.elementAti(operandAddress);
+- op = URX_BUILD(opType, fixedOperandAddress);
++ op = buildOp(opType, fixedOperandAddress);
+ fRXPat->fCompiledPat->setElementAt(op, dst);
+ dst++;
+@@ -3524,5 +3541,5 @@
+ }
+ where = fRXPat->fGroupMap->elementAti(where-1);
+- op = URX_BUILD(opType, where);
++ op = buildOp(opType, where);
+ fRXPat->fCompiledPat->setElementAt(op, dst);
+ dst++;
+@@ -3876,5 +3893,5 @@
+ //
+ // scanNamedChar
+- // Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern.
++// Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern.
+ //
+ // The scan position will be at the 'N'. On return
+diff -ru2 1.icu/source/i18n/regexcmp.h 2.icu/source/i18n/regexcmp.h
+--- 1.icu/source/i18n/regexcmp.h 2015-04-10 19:39:22.737990352 +0200
++++ 2.icu/source/i18n/regexcmp.h 2015-04-10 19:39:47.696150439 +0200
+@@ -104,4 +104,11 @@
+ void insertOp(int32_t where); // Open up a slot for a new op in the
+ // generated code at the specified location.
++ void appendOp(int32_t op); // Append a new op to the compiled pattern.
++ void appendOp(int32_t type, int32_t val); // Build & append a new op to the compiled pattern.
++ int32_t buildOp(int32_t type, int32_t val); // Construct a new pcode instruction.
++ int32_t allocateData(int32_t size); // Allocate space in the matcher data area.
++ // Return index of the newly allocated data.
++ int32_t allocateStackData(int32_t size); // Allocate space in the match back-track stack frame.
++ // Return offset index in the frame.
+ int32_t minMatchLength(int32_t start,
+ int32_t end);
+diff -ru2 1.icu/source/i18n/regeximp.h 2.icu/source/i18n/regeximp.h
+--- 1.icu/source/i18n/regeximp.h 2013-01-11 01:22:48.000000000 +0100
++++ 2.icu/source/i18n/regeximp.h 2015-04-10 19:39:47.696150439 +0200
+@@ -1,4 +1,4 @@
+ //
+-// Copyright (C) 2002-2012 International Business Machines Corporation
++// Copyright (C) 2002-2014 International Business Machines Corporation
+ // and others. All rights reserved.
+ //
+@@ -255,5 +255,4 @@
+ // Convenience macros for assembling and disassembling a compiled operation.
+ //
+-#define URX_BUILD(type, val) (int32_t)((type << 24) | (val))
+ #define URX_TYPE(x) ((uint32_t)(x) >> 24)
+ #define URX_VAL(x) ((x) & 0xffffff)
+diff -ru2 1.icu/source/test/intltest/regextst.cpp 2.icu/source/test/intltest/regextst.cpp
+--- 1.icu/source/test/intltest/regextst.cpp 2013-01-11 01:22:02.000000000 +0100
++++ 2.icu/source/test/intltest/regextst.cpp 2015-04-10 19:39:47.697150446 +0200
+@@ -132,4 +132,7 @@
+ if (exec) Bug9283();
+ break;
++ case 22: name = "TestBug11371";
++ if (exec) TestBug11371();
++ break;
+
+ default: name = "";
+@@ -5216,4 +5219,47 @@
+ }
+
++void RegexTest::TestBug11371() {
++ if (quick) {
++ logln("Skipping test. Runs in exhuastive mode only.");
++ return;
++ }
++ UErrorCode status = U_ZERO_ERROR;
++ UnicodeString patternString;
++
++ for (int i=0; i<8000000; i++) {
++ patternString.append(UnicodeString("()"));
++ }
++ LocalPointer<RegexPattern> compiledPat(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++
++ status = U_ZERO_ERROR;
++ patternString = "(";
++ for (int i=0; i<20000000; i++) {
++ patternString.append(UnicodeString("A++"));
++ }
++ patternString.append(UnicodeString("){0}B++"));
++ LocalPointer<RegexPattern> compiledPat2(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++
++ // Pattern with too much string data, such that string indexes overflow operand data field size
++ // in compiled instruction.
++ status = U_ZERO_ERROR;
++ patternString = "";
++ while (patternString.length() < 0x00ffffff) {
++ patternString.append(UnicodeString("stuff and things dont you know, these are a few of my favorite strings\n"));
++ }
++ patternString.append(UnicodeString("X? trailing string"));
++ LocalPointer<RegexPattern> compiledPat3(RegexPattern::compile(patternString, 0, status));
++ if (status != U_REGEX_PATTERN_TOO_BIG) {
++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.",
++ __FILE__, __LINE__, u_errorName(status));
++ }
++}
+
+ void RegexTest::CheckInvBufSize() {
+diff -ru2 1.icu/source/test/intltest/regextst.h 2.icu/source/test/intltest/regextst.h
+--- 1.icu/source/test/intltest/regextst.h 2013-01-11 01:21:58.000000000 +0100
++++ 2.icu/source/test/intltest/regextst.h 2015-04-10 19:39:47.697150446 +0200
+@@ -47,4 +47,5 @@
+ virtual void Bug7029();
+ virtual void Bug9283();
++ virtual void TestBug11371();
+ virtual void CheckInvBufSize();
+
diff --git a/icu.spec b/icu.spec
index fab7bdb..b342a45 100644
--- a/icu.spec
+++ b/icu.spec
@@ -1,6 +1,6 @@
Name: icu
Version: 50.1.2
-Release: 11%{?dist}
+Release: 12%{?dist}
Summary: International Components for Unicode
Group: Development/Tools
License: MIT and UCD and Public Domain
@@ -22,7 +22,11 @@ Patch6: icuinfo-man.patch
Patch7: icu.10143.memory.leak.crash.patch
Patch8: icu.10318.CVE-2013-2924_changeset_34076.patch
Patch9: icu-testtwodigityear.patch
-Patch10: icu.changeset_37086.patch
+Patch10: icu.changeset_33835.patch
+Patch11: icu.changeset_36724.patch
+Patch12: icu.changeset_36727.patch
+Patch13: icu.changeset_36801.patch
+Patch14: icu.changeset_37086.patch
%description
Tools and utilities for developing with icu.
@@ -75,7 +79,11 @@ BuildArch: noarch
%patch7 -p1 -b .icu10143.memory.leak.crash.patch
%patch8 -p1 -b .icu10318.CVE-2013-2924_changeset_34076.patch
%patch9 -p1 -b .icu-testtwodigityear.patch
-%patch10 -p1 -b .icu.changeset_37086.patch
+%patch10 -p1 -b .icu.changeset_33835.patch
+%patch11 -p1 -b .icu.changeset_36724.patch
+%patch12 -p1 -b .icu.changeset_36727.patch
+%patch13 -p1 -b .icu.changeset_36801.patch
+%patch14 -p1 -b .icu.changeset_37086.patch
%build
cd source
@@ -183,6 +191,9 @@ make %{?_smp_mflags} -C source check
%doc source/__docs/%{name}/html/*
%changelog
+* Fri Apr 10 2015 Eike Rathke <erack at redhat.com> - 50.1.2-12
+- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
+
* Mon Mar 09 2015 Eike Rathke <erack at redhat.com> - 50.1.2-11
- TestTwoDigitYear build fix
- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/icu.git/commit/?h=f20&id=25f62cfe2cac4bcf3bbdd16267b7d17ddff1821a
More information about the scm-commits
mailing list