diff options
Diffstat (limited to 'meta/recipes-support/libpcre')
7 files changed, 829 insertions, 44 deletions
diff --git a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch b/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch deleted file mode 100644 index 89b44f6aa6..0000000000 --- a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch +++ /dev/null @@ -1,41 +0,0 @@ -Upstream-Status: Inappropriate [debian patch] - -This patch address a namespace collision with libc. - -Although there is no "#include <regex.h>" in the source file, at -runtime, it's unintentionally linked to the libc version, the regcomp of -libc is called instead the pcre one using pcre's data structure... -that looks like a disaster. - -Can patch is from Debian (and Ubuntu 11.04alpha has it also). - -[sgw: added patch comment] -Signed-off-by: Qing He <qing.he@intel.com> -Signed-off-by: Saul Wold <sgw@linux.intel.com> - ---- a/pcreposix.h 2010-05-17 00:17:23.000000000 +0800 -+++ b/pcreposix.h 2009-01-15 04:32:17.000000000 +0800 -@@ -133,14 +130,19 @@ - - /* The functions */ - --PCREPOSIX_EXP_DECL int regcomp(regex_t *, const char *, int); --PCREPOSIX_EXP_DECL int regexec(const regex_t *, const char *, size_t, -+PCREPOSIX_EXP_DECL int pcreposix_regcomp(regex_t *, const char *, int); -+PCREPOSIX_EXP_DECL int pcreposix_regexec(const regex_t *, const char *, size_t, - regmatch_t *, int); --PCREPOSIX_EXP_DECL size_t regerror(int, const regex_t *, char *, size_t); --PCREPOSIX_EXP_DECL void regfree(regex_t *); -+PCREPOSIX_EXP_DECL size_t pcreposix_regerror(int, const regex_t *, char *, size_t); -+PCREPOSIX_EXP_DECL void pcreposix_regfree(regex_t *); - - #ifdef __cplusplus - } /* extern "C" */ - #endif - -+#define regcomp pcreposix_regcomp -+#define regexec pcreposix_regexec -+#define regerror pcreposix_regerror -+#define regfree pcreposix_regfree -+ - #endif /* End of pcreposix.h */ diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch new file mode 100644 index 0000000000..42ee417fe7 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch @@ -0,0 +1,30 @@ +From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001 +From: Zoltan Herczeg <hzmester@freemail.hu> +Date: Thu, 24 Mar 2022 05:34:42 +0000 +Subject: [PATCH] Fix incorrect value reading in JIT. + +CVE: CVE-2022-1586 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3] + +(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c) +Signed-off-by: Shinu Chandran <shinucha@cisco.com> +--- + src/pcre2_jit_compile.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 493c96d..fa57942 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7188,7 +7188,7 @@ while (*cc != XCL_END) + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST && *cc == XCL_PROP) ++ if (*cc == PT_CLIST && cc[-1] == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch new file mode 100644 index 0000000000..fbbbc9ca77 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch @@ -0,0 +1,59 @@ +From 233c4248550d0c1d9bfee42198d5ee0855b7d413 Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 23 May 2022 13:52:39 +0530 +Subject: [PATCH] CVE-2022-1586 + +Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a + +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> +--- + ChangeLog | 3 +++ + src/pcre2_jit_compile.c | 2 +- + src/pcre2_jit_test.c | 4 ++++ + 3 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 0926c29..b5d72dc 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,6 +1,9 @@ + Change Log for PCRE2 + -------------------- + ++23. Fixed a unicode properrty matching issue in JIT. The character was not ++fully read in caseless matching. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index f564127..5d43865 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -7119,7 +7119,7 @@ while (*cc != XCL_END) + { + SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP); + cc++; +- if (*cc == PT_CLIST) ++ if (*cc == PT_CLIST && *cc == XCL_PROP) + { + other_cases = PRIV(ucd_caseless_sets) + cc[1]; + while (*other_cases != NOTACHAR) +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index a9b3880..9df87fd 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -408,6 +408,10 @@ static struct regression_test_case regression_test_cases[] = { + { MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" }, + { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" }, + { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" }, ++ { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " }, ++ { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" }, ++ { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" }, ++ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" }, + + /* Possible empty brackets. */ + { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" }, +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch new file mode 100644 index 0000000000..70f9f9f079 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch @@ -0,0 +1,660 @@ +From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001 +From: Hitendra Prajapati <hprajapati@mvista.com> +Date: Mon, 23 May 2022 14:11:11 +0530 +Subject: [PATCH] CVE-2022-1587 + +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0] +CVE: CVE-2022-1587 +Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> + +--- + ChangeLog | 3 + + src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++-------------- + src/pcre2_jit_test.c | 1 + + 3 files changed, 194 insertions(+), 100 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b5d72dc..de82de9 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -4,6 +4,9 @@ Change Log for PCRE2 + 23. Fixed a unicode properrty matching issue in JIT. The character was not + fully read in caseless matching. + ++24. Fixed an issue affecting recursions in JIT caused by duplicated data ++transfers. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c +index 5d43865..493c96d 100644 +--- a/src/pcre2_jit_compile.c ++++ b/src/pcre2_jit_compile.c +@@ -407,6 +407,9 @@ typedef struct compiler_common { + /* Locals used by fast fail optimization. */ + sljit_s32 fast_fail_start_ptr; + sljit_s32 fast_fail_end_ptr; ++ /* Variables used by recursive call generator. */ ++ sljit_s32 recurse_bitset_size; ++ uint8_t *recurse_bitset; + + /* Flipped and lower case tables. */ + const sljit_u8 *fcc; +@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++) + + #undef RECURSE_TMP_REG_COUNT + ++static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index) ++{ ++uint8_t *byte; ++uint8_t mask; ++ ++SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0); ++ ++bit_index >>= SLJIT_WORD_SHIFT; ++ ++mask = 1 << (bit_index & 0x7); ++byte = common->recurse_bitset + (bit_index >> 3); ++ ++if (*byte & mask) ++ return FALSE; ++ ++*byte |= mask; ++return TRUE; ++} ++ + static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend, + BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept) + { + int length = 1; +-int size; ++int size, offset; + PCRE2_SPTR alternative; + BOOL quit_found = FALSE; + BOOL accept_found = FALSE; + BOOL setsom_found = FALSE; + BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; + BOOL control_head_found = FALSE; + ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); ++ + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); + control_head_found = TRUE; +@@ -2144,15 +2167,17 @@ while (cc < ccend) + setsom_found = TRUE; + if (common->mark_ptr != 0) + setmark_found = TRUE; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0) + { +- length++; ++ if (recurse_check_bit(common, offset)) ++ length++; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2169,39 +2194,55 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- length++; + SLJIT_ASSERT(PRIVATE_DATA(cc) != 0); ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- length += 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- length += 2 + 2; +- if (common->capture_last_ptr != 0) +- capture_last_found = TRUE; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ if (recurse_check_bit(common, OVECTOR(offset << 1))) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1))); ++ length += 2; ++ } ++ if (recurse_check_bit(common, OVECTOR_PRIV(offset))) ++ length++; ++ if (recurse_check_bit(common, PRIVATE_DATA(cc))) ++ length++; ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) ++ length++; + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_COND: + /* Might be a hidden SCOND. */ + alternative = cc + GET(cc, 1); +- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) ++ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc))) + length++; + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2210,8 +2251,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2219,8 +2264,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2228,20 +2277,29 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length++; + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc) != 0) ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) ++ { ++ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw))); + length += 2; ++ } + cc += 1 + IMM2_SIZE; + break; + +@@ -2253,7 +2311,9 @@ while (cc < ccend) + #else + size = 1 + 32 / (int)sizeof(PCRE2_UCHAR); + #endif +- if (PRIVATE_DATA(cc) != 0) ++ ++ offset = PRIVATE_DATA(cc); ++ if (offset != 0 && recurse_check_bit(common, offset)) + length += get_class_iterator_size(cc + size); + cc += size; + break; +@@ -2288,8 +2348,7 @@ while (cc < ccend) + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); + quit_found = TRUE; +- if (!control_head_found) +- control_head_found = TRUE; ++ control_head_found = TRUE; + cc++; + break; + +@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend); + + if (control_head_found) + length++; +-if (capture_last_found) +- length++; + if (quit_found) + { + if (setsom_found) +@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3]; + sljit_sw kept_shared_srcw[2]; + int private_count, shared_count, kept_shared_count; + int from_sp, base_reg, offset, i; +-BOOL setsom_found = FALSE; +-BOOL setmark_found = FALSE; +-BOOL capture_last_found = FALSE; +-BOOL control_head_found = FALSE; ++ ++memset(common->recurse_bitset, 0, common->recurse_bitset_size); + + #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD + SLJIT_ASSERT(common->control_head_ptr != 0); +-control_head_found = TRUE; ++recurse_check_bit(common, common->control_head_ptr); + #endif + + switch (type) +@@ -2438,11 +2493,10 @@ while (cc < ccend) + { + case OP_SET_SOM: + SLJIT_ASSERT(common->has_set_som); +- if (has_quit && !setsom_found) ++ if (has_quit && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } + cc += 1; + break; +@@ -2450,33 +2504,31 @@ while (cc < ccend) + case OP_RECURSE: + if (has_quit) + { +- if (common->has_set_som && !setsom_found) ++ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0))) + { + kept_shared_srcw[0] = OVECTOR(0); + kept_shared_count = 1; +- setsom_found = TRUE; + } +- if (common->mark_ptr != 0 && !setmark_found) ++ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[kept_shared_count] = common->mark_ptr; + kept_shared_count++; +- setmark_found = TRUE; + } + } +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { + shared_srcw[0] = common->capture_last_ptr; + shared_count = 1; +- capture_last_found = TRUE; + } + cc += 1 + LINK_SIZE; + break; + + case OP_KET: +- if (PRIVATE_DATA(cc) != 0) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0) + { +- private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0); + cc += PRIVATE_DATA(cc + 1); + } +@@ -2493,50 +2545,66 @@ while (cc < ccend) + case OP_SBRA: + case OP_SBRAPOS: + case OP_SCOND: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + cc += 1 + LINK_SIZE; + break; + + case OP_CBRA: + case OP_SCBRA: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0) ++ if (common->optimized_cbracket[offset] == 0) + { +- private_count = 1; +- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ private_srcw[0] = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } ++ + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + + case OP_CBRAPOS: + case OP_SCBRAPOS: +- offset = (GET2(cc, 1 + LINK_SIZE)) << 1; +- shared_srcw[0] = OVECTOR(offset); +- shared_srcw[1] = OVECTOR(offset + 1); +- shared_count = 2; ++ offset = GET2(cc, 1 + LINK_SIZE); ++ shared_srcw[0] = OVECTOR(offset << 1); ++ if (recurse_check_bit(common, shared_srcw[0])) ++ { ++ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1])); ++ shared_count = 2; ++ } + +- if (common->capture_last_ptr != 0 && !capture_last_found) ++ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr)) + { +- shared_srcw[2] = common->capture_last_ptr; +- shared_count = 3; +- capture_last_found = TRUE; ++ shared_srcw[shared_count] = common->capture_last_ptr; ++ shared_count++; + } + +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE)); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; ++ ++ offset = OVECTOR_PRIV(offset); ++ if (recurse_check_bit(common, offset)) ++ { ++ private_srcw[private_count] = offset; ++ private_count++; ++ } + cc += 1 + LINK_SIZE + IMM2_SIZE; + break; + +@@ -2545,18 +2613,17 @@ while (cc < ccend) + alternative = cc + GET(cc, 1); + if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) + { +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); ++ if (recurse_check_bit(common, private_srcw[0])) ++ private_count = 1; + } + cc += 1 + LINK_SIZE; + break; + + CASE_ITERATOR_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 2; + #ifdef SUPPORT_UNICODE + if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]); +@@ -2564,11 +2631,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2; + #ifdef SUPPORT_UNICODE +@@ -2577,11 +2645,12 @@ while (cc < ccend) + break; + + CASE_ITERATOR_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw); ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 2 + IMM2_SIZE; + #ifdef SUPPORT_UNICODE +@@ -2590,30 +2659,30 @@ while (cc < ccend) + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_1 +- if (PRIVATE_DATA(cc)) +- { ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + private_count = 1; +- private_srcw[0] = PRIVATE_DATA(cc); +- } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2A +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1; + break; + + CASE_ITERATOR_TYPE_PRIVATE_DATA_2B +- if (PRIVATE_DATA(cc)) ++ private_srcw[0] = PRIVATE_DATA(cc); ++ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0])) + { + private_count = 2; +- private_srcw[0] = PRIVATE_DATA(cc); + private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); + } + cc += 1 + IMM2_SIZE; + break; +@@ -2630,14 +2699,17 @@ while (cc < ccend) + switch(get_class_iterator_size(cc + i)) + { + case 1: +- private_count = 1; + private_srcw[0] = PRIVATE_DATA(cc); + break; + + case 2: +- private_count = 2; + private_srcw[0] = PRIVATE_DATA(cc); +- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ if (recurse_check_bit(common, private_srcw[0])) ++ { ++ private_count = 2; ++ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw); ++ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1])); ++ } + break; + + default: +@@ -2652,28 +2724,25 @@ while (cc < ccend) + case OP_PRUNE_ARG: + case OP_THEN_ARG: + SLJIT_ASSERT(common->mark_ptr != 0); +- if (has_quit && !setmark_found) ++ if (has_quit && recurse_check_bit(common, common->mark_ptr)) + { + kept_shared_srcw[0] = common->mark_ptr; + kept_shared_count = 1; +- setmark_found = TRUE; + } +- if (common->control_head_ptr != 0 && !control_head_found) ++ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc += 1 + 2 + cc[1]; + break; + + case OP_THEN: + SLJIT_ASSERT(common->control_head_ptr != 0); +- if (!control_head_found) ++ if (recurse_check_bit(common, common->control_head_ptr)) + { + shared_srcw[0] = common->control_head_ptr; + shared_count = 1; +- control_head_found = TRUE; + } + cc++; + break; +@@ -2681,7 +2750,7 @@ while (cc < ccend) + default: + cc = next_opcode(common, cc); + SLJIT_ASSERT(cc != NULL); +- break; ++ continue; + } + + if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global) +@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0)); + common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw); + + total_length = ccend - common->start; +-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); ++common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data); + if (!common->private_data_ptrs) + { + SLJIT_FREE(common->optimized_cbracket, allocator_data); +@@ -13304,6 +13373,7 @@ if (!compiler) + common->compiler = compiler; + + /* Main pcre_jit_exec entry. */ ++LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0); + sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size); + + /* Register init. */ +@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0; + common->currententry = common->entries; + common->local_quit_available = TRUE; + quit_label = common->quit_label; +-while (common->currententry != NULL) ++if (common->currententry != NULL) + { +- /* Might add new entries. */ +- compile_recurse(common); +- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ /* A free bit for each private data. */ ++ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3; ++ SLJIT_ASSERT(common->recurse_bitset_size > 0); ++ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);; ++ ++ if (common->recurse_bitset != NULL) ++ { ++ do ++ { ++ /* Might add new entries. */ ++ compile_recurse(common); ++ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler))) ++ break; ++ flush_stubs(common); ++ common->currententry = common->currententry->next; ++ } ++ while (common->currententry != NULL); ++ ++ SLJIT_FREE(common->recurse_bitset, allocator_data); ++ } ++ ++ if (common->currententry != NULL) + { ++ /* The common->recurse_bitset has been freed. */ ++ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL); ++ + sljit_free_compiler(compiler); + SLJIT_FREE(common->optimized_cbracket, allocator_data); + SLJIT_FREE(common->private_data_ptrs, allocator_data); + PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data); + return PCRE2_ERROR_NOMEMORY; + } +- flush_stubs(common); +- common->currententry = common->currententry->next; + } + common->local_quit_available = FALSE; + common->quit_label = quit_label; +diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c +index 9df87fd..2f84834 100644 +--- a/src/pcre2_jit_test.c ++++ b/src/pcre2_jit_test.c +@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = { + { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" }, + { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" }, + { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" }, ++ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" }, + + /* 16 bit specific tests. */ + { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" }, +-- +2.25.1 + diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch new file mode 100644 index 0000000000..882277ae73 --- /dev/null +++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch @@ -0,0 +1,74 @@ +From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001 +From: Philip Hazel <Philip.Hazel@gmail.com> +Date: Tue, 16 Aug 2022 17:00:45 +0100 +Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line + +CVE: CVE-2022-41409 +Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35] + +Signed-off-by: Peter Marko <peter.marko@siemens.com> + +--- + ChangeLog | 3 +++ + src/pcre2test.c | 4 ++-- + testdata/testinput2 | 3 +++ + testdata/testoutput2 | 4 ++++ + 4 files changed, 12 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index eab50eb7..276eb57a 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -7,6 +7,9 @@ fully read in caseless matching. + 24. Fixed an issue affecting recursions in JIT caused by duplicated data + transfers. + ++20. A negative repeat value in a pcre2test subject line was not being ++diagnosed, leading to infinite looping. ++ + + Version 10.34 21-November-2019 + ------------------------------ +diff --git a/src/pcre2test.c b/src/pcre2test.c +index 08f86096..f6f5d66c 100644 +--- a/src/pcre2test.c ++++ b/src/pcre2test.c +@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0) + } + + i = (int32_t)li; +- if (i-- == 0) ++ if (i-- <= 0) + { +- fprintf(outfile, "** Zero repeat not allowed\n"); ++ fprintf(outfile, "** Zero or negative repeat not allowed\n"); + return PR_OK; + } + +diff --git a/testdata/testinput2 b/testdata/testinput2 +index 655e519..14e00ed 100644 +--- a/testdata/testinput2 ++++ b/testdata/testinput2 +@@ -5772,4 +5772,7 @@ a)"xI + /(a)?a/I + manm + ++-- ++ \[X]{-10} ++ + # End of testinput2 +diff --git a/testdata/testoutput2 b/testdata/testoutput2 +index c733c12..958f246 100644 +--- a/testdata/testoutput2 ++++ b/testdata/testoutput2 +@@ -17435,6 +17435,10 @@ Subject length lower bound = 1 + manm + 0: a + ++-- ++ \[X]{-10} ++** Zero or negative repeat not allowed ++ + # End of testinput2 + Error -70: PCRE2_ERROR_BADDATA (unknown error number) + Error -62: bad serialized data diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb index fa8655e027..53277270d2 100644 --- a/meta/recipes-support/libpcre/libpcre2_10.34.bb +++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb @@ -10,8 +10,12 @@ SECTION = "devel" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" -SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ +SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \ file://pcre-cross.patch \ + file://CVE-2022-1586.patch \ + file://CVE-2022-1586-regression.patch \ + file://CVE-2022-1587.patch \ + file://CVE-2022-41409.patch \ " SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" diff --git a/meta/recipes-support/libpcre/libpcre_8.44.bb b/meta/recipes-support/libpcre/libpcre_8.44.bb index e5471e81da..3267c5ad72 100644 --- a/meta/recipes-support/libpcre/libpcre_8.44.bb +++ b/meta/recipes-support/libpcre/libpcre_8.44.bb @@ -7,8 +7,7 @@ HOMEPAGE = "http://www.pcre.org" SECTION = "devel" LICENSE = "BSD-3-Clause" LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e" -SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ - file://fix-pcre-name-collision.patch \ +SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \ file://run-ptest \ file://Makefile \ " |