head 1.1; access; symbols pkgsrc-2017Q1:1.1.0.2; locks; strict; comment @// @; 1.1 date 2017.04.25.17.54.53; author bsiegert; state dead; branches 1.1.2.1; next ; commitid g88b3A1OaDGrtWOz; 1.1.2.1 date 2017.04.25.17.54.53; author bsiegert; state Exp; branches; next ; commitid g88b3A1OaDGrtWOz; desc @@ 1.1 log @file patch-i18n_regexcmp.cpp was initially added on branch pkgsrc-2017Q1. @ text @@ 1.1.2.1 log @Pullup ticket #5357 - requested by maya textproc/icu: security fix (backported) ICU had a vulnerability (CVE-2017-786[78]) Unfortunately they fixed it by doing a major release and have previously broken other packages at runtime with such updates. I've made backports of all the changesets that were mentioned in any of the links, specifically the oss-fuzz report was somewhat broad and mentioned 39673 which backported several 'crash' changesets: http://bugs.icu-project.org/trac/changeset/39663 http://bugs.icu-project.org/trac/changeset/39669 http://bugs.icu-project.org/trac/changeset/39671 The advisory only references code changes relevant to 39671, we could limit the backport to that. https://www.debian.org/security/2017/dsa-3830 I've run make replace and smoke-tested with midori they have a rather extensive testsuite. I've run it with 'make test' and it didn't show any issues. These are manual backports by myself as the patches did not apply cleanly. @ text @a0 173 $NetBSD$ Backport upstream changeset 39663 ticket:12930 Fix assertion failure in regex compile. Use safeIncrement for progressing currentLen in matchStartType --- i18n/regexcmp.cpp.orig 2016-06-15 18:58:17.000000000 +0000 +++ i18n/regexcmp.cpp @@@@ -2637,6 +2637,18 @@@@ void RegexCompile::findCaseInsensitiveS } +// Increment with overflow check. +// val and delta will both be positive. + +static int32_t safeIncrement(int32_t val, int32_t delta) { + if (INT32_MAX - val > delta) { + return val + delta; + } else { + return INT32_MAX; + } +} + + //------------------------------------------------------------------------------ @@@@ -2737,7 +2749,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->add(URX_VAL(op)); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2750,7 +2762,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(*s); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2787,7 +2799,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(*s); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2802,7 +2814,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(sc); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2819,7 +2831,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(s); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2836,7 +2848,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(s); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2855,7 +2867,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(s); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2879,7 +2891,7 @@@@ void RegexCompile::matchStartType() { } numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2895,7 +2907,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->complement(); numInitialStrings += 2; } - currentLen++; + currentLen = safeIncrement(currentLen, 1); atStart = FALSE; break; @@@@ -2975,7 +2987,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialStringLen = stringLen; } - currentLen += stringLen; + currentLen = safeIncrement(currentLen, stringLen); atStart = FALSE; } break; @@@@ -3000,7 +3012,7 @@@@ void RegexCompile::matchStartType() { fRXPat->fInitialChars->addAll(s); numInitialStrings += 2; // Matching on an initial string not possible. } - currentLen += stringLen; + currentLen = safeIncrement(currentLen, stringLen); atStart = FALSE; } break; @@@@ -3258,7 +3270,7 @@@@ int32_t RegexCompile::minMatchLength(i case URX_DOTANY_ALL: // . matches one or two. case URX_DOTANY: case URX_DOTANY_UNIX: - currentLen++; + currentLen = safeIncrement(currentLen, 1); break; @@@@ -3310,7 +3322,7 @@@@ int32_t RegexCompile::minMatchLength(i { loc++; int32_t stringLenOp = (int32_t)fRXPat->fCompiledPat->elementAti(loc); - currentLen += URX_VAL(stringLenOp); + currentLen = safeIncrement(currentLen, URX_VAL(stringLenOp)); } break; @@@@ -3323,7 +3335,7 @@@@ int32_t RegexCompile::minMatchLength(i // Assume a min length of one for now. A min length of zero causes // optimization failures for a pattern like "string"+ // currentLen += URX_VAL(stringLenOp); - currentLen += 1; + currentLen = safeIncrement(currentLen, 1); } break; @@@@ -3433,18 +3445,6 @@@@ int32_t RegexCompile::minMatchLength(i return currentLen; } -// Increment with overflow check. -// val and delta will both be positive. - -static int32_t safeIncrement(int32_t val, int32_t delta) { - if (INT32_MAX - val > delta) { - return val + delta; - } else { - return INT32_MAX; - } -} - - //------------------------------------------------------------------------------ // // maxMatchLength Calculate the length of the longest string that could @