debian/patches/0500-CVE-2017-922[4-9].patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144

Correct CVE-2017-922[4-9]
 Fix mutilple invalid pointer dereference, out-of-bounds write memory 
 corruption and stack buffer overflow,
Origin: Cheerypicked from upstream
Bug: https://github.com/kkos/oniguruma/issues/[55|56|57|58|59|60]
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=86331[2|3|4|5|6|8]
Forwarded: not-needed
Last-Update: 2017-05-25
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
Index: 6.1.3-1+deb9u1/src/regexec.c
===================================================================
--- 6.1.3-1+deb9u1.orig/src/regexec.c
+++ 6.1.3-1+deb9u1/src/regexec.c
@@ -1463,14 +1463,9 @@ match_at(regex_t* reg, const UChar* str,
       break;
 
     case OP_EXACT1:  MOP_IN(OP_EXACT1);
-#if 0
       DATA_ENSURE(1);
       if (*p != *s) goto fail;
       p++; s++;
-#endif
-      if (*p != *s++) goto fail;
-      DATA_ENSURE(0);
-      p++;
       MOP_OUT;
       break;
 
@@ -3149,6 +3144,8 @@ forward_search_range(regex_t* reg, const
     }
     else {
       UChar *q = p + reg->dmin;
+
+      if (q >= end) return 0; /* fail */
       while (p < q) p += enclen(reg->enc, p);
     }
   }
@@ -3228,18 +3225,25 @@ forward_search_range(regex_t* reg, const
     }
     else {
       if (reg->dmax != ONIG_INFINITE_DISTANCE) {
-        *low = p - reg->dmax;
-        if (*low > s) {
-          *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
-                                          *low, (const UChar** )low_prev);
-          if (low_prev && IS_NULL(*low_prev))
-            *low_prev = onigenc_get_prev_char_head(reg->enc,
-                                                   (pprev ? pprev : s), *low);
-        }
-        else {
+        if (p - str < reg->dmax) {
+          *low = (UChar* )str;
           if (low_prev)
-            *low_prev = onigenc_get_prev_char_head(reg->enc,
-                                                   (pprev ? pprev : str), *low);
+            *low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
+ 	}
+ 	else {
+          *low = p - reg->dmax;
+          if (*low > s) {
+            *low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
+                                                 *low, (const UChar** )low_prev);
+            if (low_prev && IS_NULL(*low_prev))
+              *low_prev = onigenc_get_prev_char_head(reg->enc,
+                                                     (pprev ? pprev : s), *low);
+          }
+          else {
+            if (low_prev)
+              *low_prev = onigenc_get_prev_char_head(reg->enc,
+                                                     (pprev ? pprev : str), *low);
+          }
         }
       }
     }
Index: 6.1.3-1+deb9u1/src/regparse.c
===================================================================
--- 6.1.3-1+deb9u1.orig/src/regparse.c
+++ 6.1.3-1+deb9u1/src/regparse.c
@@ -2986,7 +2986,7 @@ fetch_token_in_cc(OnigToken* tok, UChar*
         PUNFETCH;
         prev = p;
         num = scan_unsigned_octal_number(&p, end, 3, enc);
-        if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
+        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
         if (p == prev) {  /* can't read nothing. */
           num = 0; /* but, it's not error */
         }
@@ -3358,7 +3358,7 @@ fetch_token(OnigToken* tok, UChar** src,
       if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
         prev = p;
         num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
-        if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
+        if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
         if (p == prev) {  /* can't read nothing. */
           num = 0; /* but, it's not error */
         }
@@ -3994,7 +3994,9 @@ next_state_class(CClassNode* cc, OnigCod
     }
   }
 
-  *state = CCS_VALUE;
+  if (*state != CCS_START)
+    *state = CCS_VALUE;
+
   *type  = CCV_CLASS;
   return 0;
 }
@@ -4010,6 +4012,9 @@ next_state_val(CClassNode* cc, OnigCodeP
   switch (*state) {
   case CCS_VALUE:
     if (*type == CCV_SB) {
+      if (*vs > 0xff)
+          return ONIGERR_INVALID_CODE_POINT_VALUE;
+
       BITSET_SET_BIT(cc->bs, (int )(*vs));
     }
     else if (*type == CCV_CODE_POINT) {
Index: 6.1.3-1+deb9u1/src/gperf_unfold_key_conv.py
===================================================================
--- 6.1.3-1+deb9u1.orig/src/gperf_unfold_key_conv.py
+++ 6.1.3-1+deb9u1/src/gperf_unfold_key_conv.py
@@ -36,7 +36,7 @@ def parse_line(s):
     if r != s: return r
     r = re.sub(REG_GET_CODE, 'OnigCodePoint gcode = wordlist[key].code;', s)
     if r != s: return r
-    r = re.sub(REG_CODE_CHECK, 'if (code == gcode)', s)
+    r = re.sub(REG_CODE_CHECK, 'if (code == gcode && wordlist[key].index >= 0)', s)
     if r != s: return r
 
     return s
Index: 6.1.3-1+deb9u1/src/unicode_unfold_key.c
===================================================================
--- 6.1.3-1+deb9u1.orig/src/unicode_unfold_key.c
+++ 6.1.3-1+deb9u1/src/unicode_unfold_key.c
@@ -2844,7 +2844,7 @@ unicode_unfold_key(OnigCodePoint code)
         {
           OnigCodePoint gcode = wordlist[key].code;
 
-          if (code == gcode)
+          if (code == gcode && wordlist[key].index >= 0)
             return &wordlist[key];
         }
     }