summaryrefslogtreecommitdiff
path: root/meta/recipes-support/libpcre/libpcre2/libpcre2-CVE-2017-8786.patch
blob: eafafc1f69e9744ff5cc947cba43e9432090a1fc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
libpcre2-10.23: Fix CVE-2017-8786

The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of
service (heap-based buffer overflow) or possibly have unspecified other impact
via a crafted regular expression.

Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch]
CVE: CVE-2017-8786

Signed-off-by: Robert Yang <liezhi.yang@windriver.com>

--- trunk/src/pcre2test.c  2017/03/21 16:18:54 692
+++ trunk/src/pcre2test.c  2017/03/21 18:36:13 697
@@ -1017,9 +1017,9 @@
   if (test_mode == PCRE8_MODE) \
     r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \
   else if (test_mode == PCRE16_MODE) \
-    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \
+    r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \
   else \
-    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+    r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
 
 #define PCRE2_GET_OVECTOR_COUNT(a,b) \
   if (test_mode == PCRE8_MODE) \
@@ -1399,6 +1399,9 @@
 
 /* ----- Common macros for two-mode cases ----- */
 
+#define BYTEONE (BITONE/8)
+#define BYTETWO (BITTWO/8)
+
 #define CASTFLD(t,a,b) \
   ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \
     (t)(G(a,BITTWO)->b))
@@ -1481,9 +1484,9 @@
 
 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
-    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \
+    r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \
   else \
-    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size))
+    r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO))
 
 #define PCRE2_GET_OVECTOR_COUNT(a,b) \
   if (test_mode == G(G(PCRE,BITONE),_MODE)) \
@@ -1904,7 +1907,7 @@
 #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
   a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j)
 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
-  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size))
+  r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2))
 #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16))
 #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16))
 #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b)
@@ -2000,7 +2003,7 @@
 #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \
   a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j)
 #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \
-  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size))
+  r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4))
 #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32))
 #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32))
 #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b)
@@ -2889,7 +2892,7 @@
   {
   if (pbuffer32 != NULL) free(pbuffer32);
   pbuffer32_size = 4*len + 4;
-  if (pbuffer32_size < 256) pbuffer32_size = 256;
+  if (pbuffer32_size < 512) pbuffer32_size = 512;
   pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
   if (pbuffer32 == NULL)
     {
@@ -7600,7 +7603,8 @@
   int errcode;
   char *endptr;
 
-/* Ensure the relevant non-8-bit buffer is available. */
+/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at 
+least 128 code units, because it is used for retrieving error messages. */
 
 #ifdef SUPPORT_PCRE2_16
   if (test_mode == PCRE16_MODE)
@@ -7620,7 +7624,7 @@
 #ifdef SUPPORT_PCRE2_32
   if (test_mode == PCRE32_MODE)
     {
-    pbuffer32_size = 256;
+    pbuffer32_size = 512;
     pbuffer32 = (uint32_t *)malloc(pbuffer32_size);
     if (pbuffer32 == NULL)
       {