Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Christian Hoffmann (hoffie)" <hoffie@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in dev-libs/icu/files: icu-3.8-regexp-CVE-2007-4770+4771.diff
Date: Sat, 02 Feb 2008 21:55:02
Message-Id: E1JLQKB-0002YF-VL@stork.gentoo.org
1 hoffie 08/02/02 21:54:59
2
3 Added: icu-3.8-regexp-CVE-2007-4770+4771.diff
4 Log:
5 adding patch for CVE-2007-{4770,4771} per bug #208001, thanks to jakub
6 (Portage version: 2.1.4.1)
7
8 Revision Changes Path
9 1.1 dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff
10
11 file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff?rev=1.1&view=markup
12 plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff?rev=1.1&content-type=text/plain
13
14 Index: icu-3.8-regexp-CVE-2007-4770+4771.diff
15 ===================================================================
16 Index: /icu/branches/maint/maint-3-8/source/i18n/regexcmp.cpp
17 ===================================================================
18 --- i18n/regexcmp.cpp (revision 21805)
19 +++ i18n/regexcmp.cpp (revision 23292)
20 @@ -3,5 +3,5 @@
21 // file: regexcmp.cpp
22 //
23 -// Copyright (C) 2002-2007 International Business Machines Corporation and others.
24 +// Copyright (C) 2002-2008 International Business Machines Corporation and others.
25 // All Rights Reserved.
26 //
27 @@ -1187,12 +1187,15 @@
28 // we fill the operand with the capture group number. At the end
29 // of compilation, it will be changed to the variable's location.
30 - U_ASSERT(groupNum > 0);
31 - int32_t op;
32 - if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
33 - op = URX_BUILD(URX_BACKREF_I, groupNum);
34 + if (groupNum < 1) {
35 + error(U_REGEX_INVALID_BACK_REF);
36 } else {
37 - op = URX_BUILD(URX_BACKREF, groupNum);
38 - }
39 - fRXPat->fCompiledPat->addElement(op, *fStatus);
40 + int32_t op;
41 + if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
42 + op = URX_BUILD(URX_BACKREF_I, groupNum);
43 + } else {
44 + op = URX_BUILD(URX_BACKREF, groupNum);
45 + }
46 + fRXPat->fCompiledPat->addElement(op, *fStatus);
47 + }
48 }
49 break;
50 Index: /icu/branches/maint/maint-3-8/source/i18n/rematch.cpp
51 ===================================================================
52 --- i18n/rematch.cpp (revision 21973)
53 +++ i18n/rematch.cpp (revision 23292)
54 @@ -1,5 +1,5 @@
55 /*
56 **************************************************************************
57 -* Copyright (C) 2002-2007 International Business Machines Corporation *
58 +* Copyright (C) 2002-2008 International Business Machines Corporation *
59 * and others. All rights reserved. *
60 **************************************************************************
61 @@ -30,4 +30,13 @@
62
63 U_NAMESPACE_BEGIN
64 +
65 +// Limit the size of the back track stack, to avoid system failures caused
66 +// by heap exhaustion. Units are in 32 bit words, not bytes.
67 +// This value puts ICU's limits higher than most other regexp implementations,
68 +// which use recursion rather than the heap, and take more storage per
69 +// backtrack point.
70 +// This constant is _temporary_. Proper API to control the value will added.
71 +//
72 +static const int32_t BACKTRACK_STACK_CAPACITY = 8000000;
73
74 //-----------------------------------------------------------------------------
75 @@ -54,6 +63,7 @@
76 if (fStack == NULL || fData == NULL) {
77 fDeferredStatus = U_MEMORY_ALLOCATION_ERROR;
78 - }
79 -
80 + } else {
81 + fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
82 + }
83 reset(RegexStaticSets::gStaticSets->fEmptyString);
84 }
85 @@ -79,4 +89,6 @@
86 if (fStack == NULL || fData == NULL) {
87 status = U_MEMORY_ALLOCATION_ERROR;
88 + } else {
89 + fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
90 }
91 reset(input);
92 @@ -103,4 +115,6 @@
93 if (fStack == NULL || fData == NULL) {
94 status = U_MEMORY_ALLOCATION_ERROR;
95 + } else {
96 + fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
97 }
98 reset(RegexStaticSets::gStaticSets->fEmptyString);
99 @@ -1015,4 +1029,12 @@
100 // push storage for a new frame.
101 int32_t *newFP = fStack->reserveBlock(frameSize, status);
102 + if (newFP == NULL) {
103 + // Heap allocation error on attempted stack expansion.
104 + // We need to return a writable stack frame, so just return the
105 + // previous frame. The match operation will stop quickly
106 + // becuase of the error status, after which the frame will never
107 + // be looked at again.
108 + return fp;
109 + }
110 fp = (REStackFrame *)(newFP - frameSize); // in case of realloc of stack.
111
112 @@ -1030,6 +1052,6 @@
113 return (REStackFrame *)newFP;
114 }
115 -
116 -
117 +
118 +
119 //--------------------------------------------------------------------------------
120 //
121 @@ -2262,4 +2284,5 @@
122
123 if (U_FAILURE(status)) {
124 + isMatch = FALSE;
125 break;
126 }
127 Index: /icu/branches/maint/maint-3-8/source/test/intltest/regextst.h
128 ===================================================================
129 --- test/intltest/regextst.h (revision 22001)
130 +++ test/intltest/regextst.h (revision 23292)
131 @@ -1,5 +1,5 @@
132 /********************************************************************
133 * COPYRIGHT:
134 - * Copyright (c) 2002-2007, International Business Machines Corporation and
135 + * Copyright (c) 2002-2008, International Business Machines Corporation and
136 * others. All Rights Reserved.
137 ********************************************************************/
138 @@ -31,4 +31,5 @@
139 virtual void Errors();
140 virtual void PerlTests();
141 + virtual void Bug6149();
142
143 // The following functions are internal to the regexp tests.
144 Index: /icu/branches/maint/maint-3-8/source/test/intltest/regextst.cpp
145 ===================================================================
146 --- test/intltest/regextst.cpp (revision 22057)
147 +++ test/intltest/regextst.cpp (revision 23292)
148 @@ -1,5 +1,5 @@
149 /********************************************************************
150 * COPYRIGHT:
151 - * Copyright (c) 2002-2007, International Business Machines Corporation and
152 + * Copyright (c) 2002-2008, International Business Machines Corporation and
153 * others. All Rights Reserved.
154 ********************************************************************/
155 @@ -67,4 +67,8 @@
156 if (exec) PerlTests();
157 break;
158 + case 7: name = "Bug 6149";
159 + if (exec) Bug6149();
160 + break;
161 +
162
163
164 @@ -1640,4 +1644,10 @@
165 // Ticket 5389
166 REGEX_ERR("*c", 1, 1, U_REGEX_RULE_SYNTAX);
167 +
168 + // Invalid Back Reference \0
169 + // For ICU 3.8 and earlier
170 + // For ICU versions newer than 3.8, \0 introduces an octal escape.
171 + //
172 + REGEX_ERR("(ab)\\0", 1, 6, U_REGEX_INVALID_BACK_REF);
173
174 }
175 @@ -2123,4 +2133,24 @@
176
177
178 +//--------------------------------------------------------------
179 +//
180 +// Bug6149 Verify limits to heap expansion for backtrack stack.
181 +// Use this pattern,
182 +// "(a?){1,}"
183 +// The zero-length match will repeat forever.
184 +// (That this goes into a loop is another bug)
185 +//
186 +//---------------------------------------------------------------
187 +void RegexTest::Bug6149() {
188 + UnicodeString pattern("(a?){1,}");
189 + UnicodeString s("xyz");
190 + uint32_t flags = 0;
191 + UErrorCode status = U_ZERO_ERROR;
192 +
193 + RegexMatcher matcher(pattern, s, flags, status);
194 + UBool result = false;
195 + REGEX_ASSERT_FAIL(result=matcher.matches(status), U_BUFFER_OVERFLOW_ERROR);
196 + REGEX_ASSERT(result == FALSE);
197 + }
198
199 #endif /* !UCONFIG_NO_REGULAR_EXPRESSIONS */
200 Index: /icu/branches/maint/maint-3-8/source/common/uvectr32.cpp
201 ===================================================================
202 --- common/uvectr32.cpp (revision 12958)
203 +++ common/uvectr32.cpp (revision 23292)
204 @@ -1,5 +1,5 @@
205 /*
206 ******************************************************************************
207 -* Copyright (C) 1999-2003, International Business Machines Corporation and *
208 +* Copyright (C) 1999-2008, International Business Machines Corporation and *
209 * others. All Rights Reserved. *
210 ******************************************************************************
211 @@ -27,4 +27,5 @@
212 count(0),
213 capacity(0),
214 + maxCapacity(0),
215 elements(NULL)
216 {
217 @@ -35,4 +36,5 @@
218 count(0),
219 capacity(0),
220 + maxCapacity(0),
221 elements(0)
222 {
223 @@ -46,4 +48,7 @@
224 if (initialCapacity < 1) {
225 initialCapacity = DEFUALT_CAPACITY;
226 + }
227 + if (maxCapacity>0 && maxCapacity<initialCapacity) {
228 + initialCapacity = maxCapacity;
229 }
230 elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity);
231 @@ -190,19 +195,33 @@
232 if (capacity >= minimumCapacity) {
233 return TRUE;
234 - } else {
235 - int32_t newCap = capacity * 2;
236 - if (newCap < minimumCapacity) {
237 - newCap = minimumCapacity;
238 - }
239 - int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
240 - if (newElems == 0) {
241 - status = U_MEMORY_ALLOCATION_ERROR;
242 - return FALSE;
243 - }
244 - uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
245 - uprv_free(elements);
246 - elements = newElems;
247 - capacity = newCap;
248 - return TRUE;
249 + }
250 + if (maxCapacity>0 && minimumCapacity>maxCapacity) {
251 + status = U_BUFFER_OVERFLOW_ERROR;
252 + return FALSE;
253 + }
254 + int32_t newCap = capacity * 2;
255 + if (newCap < minimumCapacity) {
256 + newCap = minimumCapacity;
257 + }
258 + if (maxCapacity > 0 && newCap > maxCapacity) {
259 + newCap = maxCapacity;
260 + }
261 + int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
262 + if (newElems == 0) {
263 + status = U_MEMORY_ALLOCATION_ERROR;
264 + return FALSE;
265 + }
266 + uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
267 + uprv_free(elements);
268 + elements = newElems;
269 + capacity = newCap;
270 + return TRUE;
271 +}
272 +
273 +void UVector32::setMaxCapacity(int32_t limit) {
274 + U_ASSERT(limit >= 0);
275 + maxCapacity = limit;
276 + if (maxCapacity < 0) {
277 + maxCapacity = 0;
278 }
279 }
280 Index: /icu/branches/maint/maint-3-8/source/common/uvectr32.h
281 ===================================================================
282 --- common/uvectr32.h (revision 19000)
283 +++ common/uvectr32.h (revision 23292)
284 @@ -1,5 +1,5 @@
285 /*
286 **********************************************************************
287 -* Copyright (C) 1999-2006, International Business Machines
288 +* Copyright (C) 1999-2008, International Business Machines
289 * Corporation and others. All Rights Reserved.
290 **********************************************************************
291 @@ -62,4 +62,6 @@
292
293 int32_t capacity;
294 +
295 + int32_t maxCapacity; // Limit beyond which capacity is not permitted to grow.
296
297 int32_t* elements;
298 @@ -161,4 +163,12 @@
299 */
300 int32_t *getBuffer() const;
301 +
302 + /**
303 + * Set the maximum allowed buffer capacity for this vector/stack.
304 + * Default with no limit set is unlimited, go until malloc() fails.
305 + * A Limit of zero means unlimited capacity.
306 + * Units are vector elements (32 bits each), not bytes.
307 + */
308 + void setMaxCapacity(int32_t limit);
309
310 /**
311 @@ -222,5 +232,7 @@
312
313 inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) {
314 - ensureCapacity(count+size, status);
315 + if (ensureCapacity(count+size, status) == FALSE) {
316 + return NULL;
317 + }
318 int32_t *rp = elements+count;
319 count += size;
320
321
322
323
324 --
325 gentoo-commits@l.g.o mailing list
Report Message
Find on MARC Find on Google Groups