1 |
hoffie 08/02/02 21:54:59 |
2 |
|
3 |
Added: icu-3.8-regexp-CVE-2007-4770+4771.diff |
4 |
Log: |
5 |
adding patch for CVE-2007-{4770,4771} per bug #208001, thanks to jakub |
6 |
(Portage version: 2.1.4.1) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-libs/icu/files/icu-3.8-regexp-CVE-2007-4770+4771.diff?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: icu-3.8-regexp-CVE-2007-4770+4771.diff |
15 |
=================================================================== |
16 |
Index: /icu/branches/maint/maint-3-8/source/i18n/regexcmp.cpp |
17 |
=================================================================== |
18 |
--- i18n/regexcmp.cpp (revision 21805) |
19 |
+++ i18n/regexcmp.cpp (revision 23292) |
20 |
@@ -3,5 +3,5 @@ |
21 |
// file: regexcmp.cpp |
22 |
// |
23 |
-// Copyright (C) 2002-2007 International Business Machines Corporation and others. |
24 |
+// Copyright (C) 2002-2008 International Business Machines Corporation and others. |
25 |
// All Rights Reserved. |
26 |
// |
27 |
@@ -1187,12 +1187,15 @@ |
28 |
// we fill the operand with the capture group number. At the end |
29 |
// of compilation, it will be changed to the variable's location. |
30 |
- U_ASSERT(groupNum > 0); |
31 |
- int32_t op; |
32 |
- if (fModeFlags & UREGEX_CASE_INSENSITIVE) { |
33 |
- op = URX_BUILD(URX_BACKREF_I, groupNum); |
34 |
+ if (groupNum < 1) { |
35 |
+ error(U_REGEX_INVALID_BACK_REF); |
36 |
} else { |
37 |
- op = URX_BUILD(URX_BACKREF, groupNum); |
38 |
- } |
39 |
- fRXPat->fCompiledPat->addElement(op, *fStatus); |
40 |
+ int32_t op; |
41 |
+ if (fModeFlags & UREGEX_CASE_INSENSITIVE) { |
42 |
+ op = URX_BUILD(URX_BACKREF_I, groupNum); |
43 |
+ } else { |
44 |
+ op = URX_BUILD(URX_BACKREF, groupNum); |
45 |
+ } |
46 |
+ fRXPat->fCompiledPat->addElement(op, *fStatus); |
47 |
+ } |
48 |
} |
49 |
break; |
50 |
Index: /icu/branches/maint/maint-3-8/source/i18n/rematch.cpp |
51 |
=================================================================== |
52 |
--- i18n/rematch.cpp (revision 21973) |
53 |
+++ i18n/rematch.cpp (revision 23292) |
54 |
@@ -1,5 +1,5 @@ |
55 |
/* |
56 |
************************************************************************** |
57 |
-* Copyright (C) 2002-2007 International Business Machines Corporation * |
58 |
+* Copyright (C) 2002-2008 International Business Machines Corporation * |
59 |
* and others. All rights reserved. * |
60 |
************************************************************************** |
61 |
@@ -30,4 +30,13 @@ |
62 |
|
63 |
U_NAMESPACE_BEGIN |
64 |
+ |
65 |
+// Limit the size of the back track stack, to avoid system failures caused |
66 |
+// by heap exhaustion. Units are in 32 bit words, not bytes. |
67 |
+// This value puts ICU's limits higher than most other regexp implementations, |
68 |
+// which use recursion rather than the heap, and take more storage per |
69 |
+// backtrack point. |
70 |
+// This constant is _temporary_. Proper API to control the value will added. |
71 |
+// |
72 |
+static const int32_t BACKTRACK_STACK_CAPACITY = 8000000; |
73 |
|
74 |
//----------------------------------------------------------------------------- |
75 |
@@ -54,6 +63,7 @@ |
76 |
if (fStack == NULL || fData == NULL) { |
77 |
fDeferredStatus = U_MEMORY_ALLOCATION_ERROR; |
78 |
- } |
79 |
- |
80 |
+ } else { |
81 |
+ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); |
82 |
+ } |
83 |
reset(RegexStaticSets::gStaticSets->fEmptyString); |
84 |
} |
85 |
@@ -79,4 +89,6 @@ |
86 |
if (fStack == NULL || fData == NULL) { |
87 |
status = U_MEMORY_ALLOCATION_ERROR; |
88 |
+ } else { |
89 |
+ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); |
90 |
} |
91 |
reset(input); |
92 |
@@ -103,4 +115,6 @@ |
93 |
if (fStack == NULL || fData == NULL) { |
94 |
status = U_MEMORY_ALLOCATION_ERROR; |
95 |
+ } else { |
96 |
+ fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY); |
97 |
} |
98 |
reset(RegexStaticSets::gStaticSets->fEmptyString); |
99 |
@@ -1015,4 +1029,12 @@ |
100 |
// push storage for a new frame. |
101 |
int32_t *newFP = fStack->reserveBlock(frameSize, status); |
102 |
+ if (newFP == NULL) { |
103 |
+ // Heap allocation error on attempted stack expansion. |
104 |
+ // We need to return a writable stack frame, so just return the |
105 |
+ // previous frame. The match operation will stop quickly |
106 |
+ // becuase of the error status, after which the frame will never |
107 |
+ // be looked at again. |
108 |
+ return fp; |
109 |
+ } |
110 |
fp = (REStackFrame *)(newFP - frameSize); // in case of realloc of stack. |
111 |
|
112 |
@@ -1030,6 +1052,6 @@ |
113 |
return (REStackFrame *)newFP; |
114 |
} |
115 |
- |
116 |
- |
117 |
+ |
118 |
+ |
119 |
//-------------------------------------------------------------------------------- |
120 |
// |
121 |
@@ -2262,4 +2284,5 @@ |
122 |
|
123 |
if (U_FAILURE(status)) { |
124 |
+ isMatch = FALSE; |
125 |
break; |
126 |
} |
127 |
Index: /icu/branches/maint/maint-3-8/source/test/intltest/regextst.h |
128 |
=================================================================== |
129 |
--- test/intltest/regextst.h (revision 22001) |
130 |
+++ test/intltest/regextst.h (revision 23292) |
131 |
@@ -1,5 +1,5 @@ |
132 |
/******************************************************************** |
133 |
* COPYRIGHT: |
134 |
- * Copyright (c) 2002-2007, International Business Machines Corporation and |
135 |
+ * Copyright (c) 2002-2008, International Business Machines Corporation and |
136 |
* others. All Rights Reserved. |
137 |
********************************************************************/ |
138 |
@@ -31,4 +31,5 @@ |
139 |
virtual void Errors(); |
140 |
virtual void PerlTests(); |
141 |
+ virtual void Bug6149(); |
142 |
|
143 |
// The following functions are internal to the regexp tests. |
144 |
Index: /icu/branches/maint/maint-3-8/source/test/intltest/regextst.cpp |
145 |
=================================================================== |
146 |
--- test/intltest/regextst.cpp (revision 22057) |
147 |
+++ test/intltest/regextst.cpp (revision 23292) |
148 |
@@ -1,5 +1,5 @@ |
149 |
/******************************************************************** |
150 |
* COPYRIGHT: |
151 |
- * Copyright (c) 2002-2007, International Business Machines Corporation and |
152 |
+ * Copyright (c) 2002-2008, International Business Machines Corporation and |
153 |
* others. All Rights Reserved. |
154 |
********************************************************************/ |
155 |
@@ -67,4 +67,8 @@ |
156 |
if (exec) PerlTests(); |
157 |
break; |
158 |
+ case 7: name = "Bug 6149"; |
159 |
+ if (exec) Bug6149(); |
160 |
+ break; |
161 |
+ |
162 |
|
163 |
|
164 |
@@ -1640,4 +1644,10 @@ |
165 |
// Ticket 5389 |
166 |
REGEX_ERR("*c", 1, 1, U_REGEX_RULE_SYNTAX); |
167 |
+ |
168 |
+ // Invalid Back Reference \0 |
169 |
+ // For ICU 3.8 and earlier |
170 |
+ // For ICU versions newer than 3.8, \0 introduces an octal escape. |
171 |
+ // |
172 |
+ REGEX_ERR("(ab)\\0", 1, 6, U_REGEX_INVALID_BACK_REF); |
173 |
|
174 |
} |
175 |
@@ -2123,4 +2133,24 @@ |
176 |
|
177 |
|
178 |
+//-------------------------------------------------------------- |
179 |
+// |
180 |
+// Bug6149 Verify limits to heap expansion for backtrack stack. |
181 |
+// Use this pattern, |
182 |
+// "(a?){1,}" |
183 |
+// The zero-length match will repeat forever. |
184 |
+// (That this goes into a loop is another bug) |
185 |
+// |
186 |
+//--------------------------------------------------------------- |
187 |
+void RegexTest::Bug6149() { |
188 |
+ UnicodeString pattern("(a?){1,}"); |
189 |
+ UnicodeString s("xyz"); |
190 |
+ uint32_t flags = 0; |
191 |
+ UErrorCode status = U_ZERO_ERROR; |
192 |
+ |
193 |
+ RegexMatcher matcher(pattern, s, flags, status); |
194 |
+ UBool result = false; |
195 |
+ REGEX_ASSERT_FAIL(result=matcher.matches(status), U_BUFFER_OVERFLOW_ERROR); |
196 |
+ REGEX_ASSERT(result == FALSE); |
197 |
+ } |
198 |
|
199 |
#endif /* !UCONFIG_NO_REGULAR_EXPRESSIONS */ |
200 |
Index: /icu/branches/maint/maint-3-8/source/common/uvectr32.cpp |
201 |
=================================================================== |
202 |
--- common/uvectr32.cpp (revision 12958) |
203 |
+++ common/uvectr32.cpp (revision 23292) |
204 |
@@ -1,5 +1,5 @@ |
205 |
/* |
206 |
****************************************************************************** |
207 |
-* Copyright (C) 1999-2003, International Business Machines Corporation and * |
208 |
+* Copyright (C) 1999-2008, International Business Machines Corporation and * |
209 |
* others. All Rights Reserved. * |
210 |
****************************************************************************** |
211 |
@@ -27,4 +27,5 @@ |
212 |
count(0), |
213 |
capacity(0), |
214 |
+ maxCapacity(0), |
215 |
elements(NULL) |
216 |
{ |
217 |
@@ -35,4 +36,5 @@ |
218 |
count(0), |
219 |
capacity(0), |
220 |
+ maxCapacity(0), |
221 |
elements(0) |
222 |
{ |
223 |
@@ -46,4 +48,7 @@ |
224 |
if (initialCapacity < 1) { |
225 |
initialCapacity = DEFUALT_CAPACITY; |
226 |
+ } |
227 |
+ if (maxCapacity>0 && maxCapacity<initialCapacity) { |
228 |
+ initialCapacity = maxCapacity; |
229 |
} |
230 |
elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity); |
231 |
@@ -190,19 +195,33 @@ |
232 |
if (capacity >= minimumCapacity) { |
233 |
return TRUE; |
234 |
- } else { |
235 |
- int32_t newCap = capacity * 2; |
236 |
- if (newCap < minimumCapacity) { |
237 |
- newCap = minimumCapacity; |
238 |
- } |
239 |
- int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap); |
240 |
- if (newElems == 0) { |
241 |
- status = U_MEMORY_ALLOCATION_ERROR; |
242 |
- return FALSE; |
243 |
- } |
244 |
- uprv_memcpy(newElems, elements, sizeof(elements[0]) * count); |
245 |
- uprv_free(elements); |
246 |
- elements = newElems; |
247 |
- capacity = newCap; |
248 |
- return TRUE; |
249 |
+ } |
250 |
+ if (maxCapacity>0 && minimumCapacity>maxCapacity) { |
251 |
+ status = U_BUFFER_OVERFLOW_ERROR; |
252 |
+ return FALSE; |
253 |
+ } |
254 |
+ int32_t newCap = capacity * 2; |
255 |
+ if (newCap < minimumCapacity) { |
256 |
+ newCap = minimumCapacity; |
257 |
+ } |
258 |
+ if (maxCapacity > 0 && newCap > maxCapacity) { |
259 |
+ newCap = maxCapacity; |
260 |
+ } |
261 |
+ int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap); |
262 |
+ if (newElems == 0) { |
263 |
+ status = U_MEMORY_ALLOCATION_ERROR; |
264 |
+ return FALSE; |
265 |
+ } |
266 |
+ uprv_memcpy(newElems, elements, sizeof(elements[0]) * count); |
267 |
+ uprv_free(elements); |
268 |
+ elements = newElems; |
269 |
+ capacity = newCap; |
270 |
+ return TRUE; |
271 |
+} |
272 |
+ |
273 |
+void UVector32::setMaxCapacity(int32_t limit) { |
274 |
+ U_ASSERT(limit >= 0); |
275 |
+ maxCapacity = limit; |
276 |
+ if (maxCapacity < 0) { |
277 |
+ maxCapacity = 0; |
278 |
} |
279 |
} |
280 |
Index: /icu/branches/maint/maint-3-8/source/common/uvectr32.h |
281 |
=================================================================== |
282 |
--- common/uvectr32.h (revision 19000) |
283 |
+++ common/uvectr32.h (revision 23292) |
284 |
@@ -1,5 +1,5 @@ |
285 |
/* |
286 |
********************************************************************** |
287 |
-* Copyright (C) 1999-2006, International Business Machines |
288 |
+* Copyright (C) 1999-2008, International Business Machines |
289 |
* Corporation and others. All Rights Reserved. |
290 |
********************************************************************** |
291 |
@@ -62,4 +62,6 @@ |
292 |
|
293 |
int32_t capacity; |
294 |
+ |
295 |
+ int32_t maxCapacity; // Limit beyond which capacity is not permitted to grow. |
296 |
|
297 |
int32_t* elements; |
298 |
@@ -161,4 +163,12 @@ |
299 |
*/ |
300 |
int32_t *getBuffer() const; |
301 |
+ |
302 |
+ /** |
303 |
+ * Set the maximum allowed buffer capacity for this vector/stack. |
304 |
+ * Default with no limit set is unlimited, go until malloc() fails. |
305 |
+ * A Limit of zero means unlimited capacity. |
306 |
+ * Units are vector elements (32 bits each), not bytes. |
307 |
+ */ |
308 |
+ void setMaxCapacity(int32_t limit); |
309 |
|
310 |
/** |
311 |
@@ -222,5 +232,7 @@ |
312 |
|
313 |
inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) { |
314 |
- ensureCapacity(count+size, status); |
315 |
+ if (ensureCapacity(count+size, status) == FALSE) { |
316 |
+ return NULL; |
317 |
+ } |
318 |
int32_t *rp = elements+count; |
319 |
count += size; |
320 |
|
321 |
|
322 |
|
323 |
|
324 |
-- |
325 |
gentoo-commits@l.g.o mailing list |