Fix a buffer overflow when compiling a regular expression with a bracketed character class with a white space

2020-09-23 17:22:09 +02:00 · 2020-09-23 17:22:09 +02:00 · 4348c5f039
parent 274071dc1f
commit 4348c5f039
2 changed files with 96 additions and 0 deletions
--- a/perl-5.33.1-Heap-buffer-overflow-in-regex-bracket-group-whitespa.patch
+++ b/perl-5.33.1-Heap-buffer-overflow-in-regex-bracket-group-whitespa.patch
@ -0,0 +1,88 @@
+From 90f66c42e4513ae5d907805fbf28b9967a90d6c5 Mon Sep 17 00:00:00 2001
+From: John Lightsey <john@04755.net>
+Date: Fri, 28 Aug 2020 23:39:18 -0500
+Subject: [PATCH] Heap buffer overflow in regex bracket group whitespace
+ handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The code for skipping whitespace in regex bracket character groups
+was walking past the end of the regex in some cases.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regcomp.c | 16 ++++++++--------
+ 1 file changed, 8 insertions(+), 8 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index db82c77b00..64488994fa 100644
+--- a/regcomp.c
+++ b/regcomp.c
+@@ -17228,10 +17228,10 @@ S_add_multi_match(pTHX_ AV* multi_char_matches, SV* multi_string, const STRLEN c
+  *
+  * There is a line below that uses the same white space criteria but is outside
+  * this macro.  Both here and there must use the same definition */
+-#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p)                          \
+#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p, stop_p)                  \
+     STMT_START {                                                        \
+         if (do_skip) {                                                  \
+-            while (isBLANK_A(UCHARAT(p)))                               \
+            while (p < stop_p && isBLANK_A(UCHARAT(p)))                 \
+             {                                                           \
+                 p++;                                                    \
+             }                                                           \
+@@ -17406,7 +17406,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+     initial_listsv_len = SvCUR(listsv);
+     SvTEMP_off(listsv); /* Grr, TEMPs and mortals are conflated.  */
+ 
+-    SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
+    SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
+ 
+     assert(RExC_parse <= RExC_end);
+ 
+@@ -17415,7 +17415,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+         invert = TRUE;
+         allow_mutiple_chars = FALSE;
+         MARK_NAUGHTY(1);
+-        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
+        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
+     }
+ 
+     /* Check that they didn't say [:posix:] instead of [[:posix:]] */
+@@ -17462,12 +17462,12 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+             output_posix_warnings(pRExC_state, posix_warnings);
+         }
+ 
+        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
+
+         if  (RExC_parse >= stop_ptr) {
+             break;
+         }
+ 
+-        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
+-
+         if  (UCHARAT(RExC_parse) == ']') {
+             break;
+         }
+@@ -18156,7 +18156,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+ 	    }
+ 	} /* end of namedclass \blah */
+ 
+-        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
+        SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
+ 
+         /* If 'range' is set, 'value' is the ending of a range--check its
+          * validity.  (If value isn't a single code point in the case of a
+@@ -18199,7 +18199,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+                 char* next_char_ptr = RExC_parse + 1;
+ 
+                 /* Get the next real char after the '-' */
+-                SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr);
+                SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr, RExC_end);
+ 
+                 /* If the '-' is at the end of the class (just before the ']',
+                  * it is a literal minus; otherwise it is a range */
+-- 
+2.25.4
+
--- a/perl.spec
+++ b/perl.spec
@ -237,6 +237,10 @@ Patch34:        perl-5.33.1-die_unwind-global-destruction.patch
 # in upstream after 5.33.1
 Patch35:        perl-5.33.1-sort-return-foo.patch

+# Fix a buffer overflow when compiling a regular expression with a bracketed
+# character class with a white space, in upstream after 5.33.1
+Patch36:        perl-5.33.1-Heap-buffer-overflow-in-regex-bracket-group-whitespa.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch

@ -4265,6 +4269,7 @@ you're not running VMS, this module does nothing.
 %patch33 -p1
 %patch34 -p1
 %patch35 -p1
+%patch36 -p1
 %patch200 -p1
 %patch201 -p1

@ -4307,6 +4312,7 @@ perl -x patchlevel.h \
    'Fedora Patch33: Fix a memory leak when compiling a long regular expression (GH#18054)' \
    'Fedora Patch34: Fix handling exceptions in a global destruction (GH#18063)' \
    'Fedora Patch35: Fix sorting with a block that calls return (GH#18081)' \
+    'Fedora Patch36: Fix a buffer overflow when compiling a regular expression with a bracketed character class with a white space' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -7019,6 +7025,8 @@ popd
 - Remove a useless post-install dependency on perl-macros from
  perl-interpreter
 - Fix ownership of /usr/share/perl5/{ExtUtils,File,Module,Text,Time} directories
+- Fix a buffer overflow when compiling a regular expression with a bracketed
+  character class with a white space

 * Thu Aug 27 2020 Petr Pisar <ppisar@redhat.com> - 4:5.32.0-462
 - Fix inheritance resolution of lexial objects in a debugger (GH#17661)