1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
libpcre2-10.23: Fix CVE-2017-8786
The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly have unspecified other impact
via a crafted regular expression.
Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
CVE: CVE-2017-8786
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
--- trunk/src/pcre2test.c 2017/03/21 16:18:54 692
+++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697
@@ -1017,9 +1017,9 @@
if (test_mode == PCRE8_MODE) \
r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
else if (test_mode == PCRE16_MODE) \
- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
else \
- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
#define PCRE2_GET_OVECTOR_COUNT(a,b) \
if (test_mode == PCRE8_MODE) \
@@ -1399,6 +1399,9 @@
/* ----- Common macros for two-mode cases ----- */
+#define BYTEONE (BITONE/8)
+#define BYTETWO (BITTWO/8)
+
#define CASTFLD(t,a,b) \
((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
(t)(G(a,BITTWO)->b))
@@ -1481,9 +1484,9 @@
#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
if (test_mode == G(G(PCRE,BITONE),_MODE)) \
- r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
+ r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
else \
- r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
+ r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
#define PCRE2_GET_OVECTOR_COUNT(a,b) \
if (test_mode == G(G(PCRE,BITONE),_MODE)) \
@@ -1904,7 +1907,7 @@
#define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
- r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
+ r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
#define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
#define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
#define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
@@ -2000,7 +2003,7 @@
#define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
#define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
- r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+ r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
#define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
#define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
#define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
@@ -2889,7 +2892,7 @@
{
if (pbuffer32 != NULL) free(pbuffer32);
pbuffer32_size = 4*len + 4;
- if (pbuffer32_size < 256) pbuffer32_size = 256;
+ if (pbuffer32_size < 512) pbuffer32_size = 512;
pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
if (pbuffer32 == NULL)
{
@@ -7600,7 +7603,8 @@
int errcode;
char *endptr;
-/* Ensure the relevant non-8-bit buffer is available. */
+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at
+least 128 code units, because it is used for retrieving error messages. */
#ifdef SUPPORT_PCRE2_16
if (test_mode == PCRE16_MODE)
@@ -7620,7 +7624,7 @@
#ifdef SUPPORT_PCRE2_32
if (test_mode == PCRE32_MODE)
{
- pbuffer32_size = 256;
+ pbuffer32_size = 512;
pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
if (pbuffer32 == NULL)
{
|