head 1.2; access; symbols pkgsrc-2015Q1:1.1.0.4 pkgsrc-2015Q1-base:1.1 pkgsrc-2014Q4:1.1.0.2; locks; strict; comment @# @; 1.2 date 2015.04.06.07.22.54; author adam; state dead; branches; next 1.1; commitid gsMWQaokTzvf5vgy; 1.1 date 2015.03.06.14.43.15; author spz; state Exp; branches 1.1.2.1; next ; commitid A8rCs5Il6N5Tvycy; 1.1.2.1 date 2015.03.06.14.43.15; author tron; state dead; branches; next 1.1.2.2; commitid ZiuoyolMhPe11Ycy; 1.1.2.2 date 2015.03.09.19.31.21; author tron; state Exp; branches; next ; commitid ZiuoyolMhPe11Ycy; desc @@ 1.2 log @Changes 55.1: The features for this release include support of CLDR 27 (with a major cleanup of region locales, among many other improvements), formatting for scientific notation ("1.2 × 10³"), an update to Unicode 7.0 data for spoof-checking, narrow AM/PM markers ("7:45p"), and various performance enhancements. For C/C++, there are new methods for flexible dates ("Nov 10", or "Sept 2015"), named capture groups for regular expressions, formatting of compound units ("3.5 meters per second"), new C wrappers, and independent timezone resource loading. ICU4J has been improved and tested for using ICU4C data and for running on Android. @ text @$NetBSD: patch-CVE-2014-7923+7926,v 1.1 2015/03/06 14:43:15 spz Exp $ patches for CVE-2014-7923 and CVE-2014-7926 from https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb --- i18n/regexcmp.cpp.orig 2014-10-03 16:10:36.000000000 +0000 +++ i18n/regexcmp.cpp @@@@ -2132,6 +2132,10 @@@@ void RegexCompile::handleCloseParen() { int32_t patEnd = fRXPat->fCompiledPat->size() - 1; int32_t minML = minMatchLength(fMatchOpenParen, patEnd); int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); + if (URX_TYPE(maxML) != 0) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; + } if (maxML == INT32_MAX) { error(U_REGEX_LOOK_BEHIND_LIMIT); break; @@@@ -2165,6 +2169,10 @@@@ void RegexCompile::handleCloseParen() { int32_t patEnd = fRXPat->fCompiledPat->size() - 1; int32_t minML = minMatchLength(fMatchOpenParen, patEnd); int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); + if (URX_TYPE(maxML) != 0) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; + } if (maxML == INT32_MAX) { error(U_REGEX_LOOK_BEHIND_LIMIT); break; @@@@ -2328,7 +2336,15 @@@@ UBool RegexCompile::compileInlineInterva int32_t topOfBlock = blockTopLoc(FALSE); if (fIntervalUpper == 0) { // Pathological case. Attempt no matches, as if the block doesn't exist. + // Discard the generated code for the block. + // If the block included parens, discard the info pertaining to them as well. fRXPat->fCompiledPat->setSize(topOfBlock); + if (fMatchOpenParen >= topOfBlock) { + fMatchOpenParen = -1; + } + if (fMatchCloseParen >= topOfBlock) { + fMatchCloseParen = -1; + } return TRUE; } --- i18n/regexcmp.h.orig 2014-10-03 16:10:36.000000000 +0000 +++ i18n/regexcmp.h @@@@ -187,7 +187,9 @@@@ private: int32_t fMatchOpenParen; // The position in the compiled pattern // of the slot reserved for a state save // at the start of the most recently processed - // parenthesized block. + // parenthesized block. Updated when processing + // a close to the location for the corresponding open. + int32_t fMatchCloseParen; // The position in the pattern of the first // location after the most recently processed // parenthesized block. --- test/testdata/regextst.txt.orig 2014-10-03 16:09:58.000000000 +0000 +++ test/testdata/regextst.txt @@@@ -1178,6 +1178,24 @@@@ "(?<=a{1,})bc" E "aaaa<0>bcdef" # U_REGEX_LOOK_BEHIND_LIMIT error. "(?<=(?:){11})bc" "<0>bc" # Empty (?:) expression. +# Bug 11369 +# Incorrect optimization of patterns with a zero length quantifier {0} + +"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE" +"(|b)ab(c)" "<0><1>ab<2>c" +"(|b){0}a{3}(D*)" "<0>aaa<2>" +"(|b){0,1}a{3}(D*)" "<0><1>aaa<2>" +"((|b){0})a{3}(D*)" "<0><1>aaa<3>" + +# Bug 11370 +# Max match length computation of look-behind expression gives result that is too big to fit in the +# in the 24 bit operand portion of the compiled code. Expressions should fail to compile +# (Look-behind match length must be bounded. This case is treated as unbounded, an error.) + +"(?fCompiledPat->size() - 1; int32_t minML = minMatchLength(fMatchOpenParen, patEnd); int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); + if (URX_TYPE(maxML) != 0) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; + } if (maxML == INT32_MAX) { error(U_REGEX_LOOK_BEHIND_LIMIT); break; @@@@ -2165,6 +2169,10 @@@@ void RegexCompile::handleCloseParen() { int32_t patEnd = fRXPat->fCompiledPat->size() - 1; int32_t minML = minMatchLength(fMatchOpenParen, patEnd); int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); + if (URX_TYPE(maxML) != 0) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; + } if (maxML == INT32_MAX) { error(U_REGEX_LOOK_BEHIND_LIMIT); break; @@@@ -2328,7 +2336,15 @@@@ UBool RegexCompile::compileInlineInterva int32_t topOfBlock = blockTopLoc(FALSE); if (fIntervalUpper == 0) { // Pathological case. Attempt no matches, as if the block doesn't exist. + // Discard the generated code for the block. + // If the block included parens, discard the info pertaining to them as well. fRXPat->fCompiledPat->setSize(topOfBlock); + if (fMatchOpenParen >= topOfBlock) { + fMatchOpenParen = -1; + } + if (fMatchCloseParen >= topOfBlock) { + fMatchCloseParen = -1; + } return TRUE; } --- i18n/regexcmp.h.orig 2014-10-03 16:10:36.000000000 +0000 +++ i18n/regexcmp.h @@@@ -187,7 +187,9 @@@@ private: int32_t fMatchOpenParen; // The position in the compiled pattern // of the slot reserved for a state save // at the start of the most recently processed - // parenthesized block. + // parenthesized block. Updated when processing + // a close to the location for the corresponding open. + int32_t fMatchCloseParen; // The position in the pattern of the first // location after the most recently processed // parenthesized block. --- test/testdata/regextst.txt.orig 2014-10-03 16:09:58.000000000 +0000 +++ test/testdata/regextst.txt @@@@ -1178,6 +1178,24 @@@@ "(?<=a{1,})bc" E "aaaa<0>bcdef" # U_REGEX_LOOK_BEHIND_LIMIT error. "(?<=(?:){11})bc" "<0>bc" # Empty (?:) expression. +# Bug 11369 +# Incorrect optimization of patterns with a zero length quantifier {0} + +"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE" +"(|b)ab(c)" "<0><1>ab<2>c" +"(|b){0}a{3}(D*)" "<0>aaa<2>" +"(|b){0,1}a{3}(D*)" "<0><1>aaa<2>" +"((|b){0})a{3}(D*)" "<0><1>aaa<3>" + +# Bug 11370 +# Max match length computation of look-behind expression gives result that is too big to fit in the +# in the 24 bit operand portion of the compiled code. Expressions should fail to compile +# (Look-behind match length must be bounded. This case is treated as unbounded, an error.) + +"(?