summaryrefslogtreecommitdiffstats
path: root/meta/recipes-support/libpcre
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-support/libpcre')
-rw-r--r--meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch41
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch30
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch59
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch660
-rw-r--r--meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch74
-rw-r--r--meta/recipes-support/libpcre/libpcre2_10.34.bb6
-rw-r--r--meta/recipes-support/libpcre/libpcre_8.44.bb3
7 files changed, 829 insertions, 44 deletions
diff --git a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch b/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
deleted file mode 100644
index 89b44f6aa6..0000000000
--- a/meta/recipes-support/libpcre/libpcre/fix-pcre-name-collision.patch
+++ /dev/null
@@ -1,41 +0,0 @@
1Upstream-Status: Inappropriate [debian patch]
2
3This patch address a namespace collision with libc.
4
5Although there is no "#include <regex.h>" in the source file, at
6runtime, it's unintentionally linked to the libc version, the regcomp of
7libc is called instead the pcre one using pcre's data structure...
8that looks like a disaster.
9
10Can patch is from Debian (and Ubuntu 11.04alpha has it also).
11
12[sgw: added patch comment]
13Signed-off-by: Qing He <qing.he@intel.com>
14Signed-off-by: Saul Wold <sgw@linux.intel.com>
15
16--- a/pcreposix.h 2010-05-17 00:17:23.000000000 +0800
17+++ b/pcreposix.h 2009-01-15 04:32:17.000000000 +0800
18@@ -133,14 +130,19 @@
19
20 /* The functions */
21
22-PCREPOSIX_EXP_DECL int regcomp(regex_t *, const char *, int);
23-PCREPOSIX_EXP_DECL int regexec(const regex_t *, const char *, size_t,
24+PCREPOSIX_EXP_DECL int pcreposix_regcomp(regex_t *, const char *, int);
25+PCREPOSIX_EXP_DECL int pcreposix_regexec(const regex_t *, const char *, size_t,
26 regmatch_t *, int);
27-PCREPOSIX_EXP_DECL size_t regerror(int, const regex_t *, char *, size_t);
28-PCREPOSIX_EXP_DECL void regfree(regex_t *);
29+PCREPOSIX_EXP_DECL size_t pcreposix_regerror(int, const regex_t *, char *, size_t);
30+PCREPOSIX_EXP_DECL void pcreposix_regfree(regex_t *);
31
32 #ifdef __cplusplus
33 } /* extern "C" */
34 #endif
35
36+#define regcomp pcreposix_regcomp
37+#define regexec pcreposix_regexec
38+#define regerror pcreposix_regerror
39+#define regfree pcreposix_regfree
40+
41 #endif /* End of pcreposix.h */
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
new file mode 100644
index 0000000000..42ee417fe7
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586-regression.patch
@@ -0,0 +1,30 @@
1From 5d1e62b0155292b994aa1c96d4ed8ce4346ef4c2 Mon Sep 17 00:00:00 2001
2From: Zoltan Herczeg <hzmester@freemail.hu>
3Date: Thu, 24 Mar 2022 05:34:42 +0000
4Subject: [PATCH] Fix incorrect value reading in JIT.
5
6CVE: CVE-2022-1586
7Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/d4fa336fbcc3]
8
9(cherry picked from commit d4fa336fbcc388f89095b184ba6d99422cfc676c)
10Signed-off-by: Shinu Chandran <shinucha@cisco.com>
11---
12 src/pcre2_jit_compile.c | 2 +-
13 1 file changed, 1 insertion(+), 1 deletion(-)
14
15diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
16index 493c96d..fa57942 100644
17--- a/src/pcre2_jit_compile.c
18+++ b/src/pcre2_jit_compile.c
19@@ -7188,7 +7188,7 @@ while (*cc != XCL_END)
20 {
21 SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
22 cc++;
23- if (*cc == PT_CLIST && *cc == XCL_PROP)
24+ if (*cc == PT_CLIST && cc[-1] == XCL_PROP)
25 {
26 other_cases = PRIV(ucd_caseless_sets) + cc[1];
27 while (*other_cases != NOTACHAR)
28--
292.25.1
30
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
new file mode 100644
index 0000000000..fbbbc9ca77
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1586.patch
@@ -0,0 +1,59 @@
1From 233c4248550d0c1d9bfee42198d5ee0855b7d413 Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 23 May 2022 13:52:39 +0530
4Subject: [PATCH] CVE-2022-1586
5
6Upstream-Status: Backport from https://github.com/PCRE2Project/pcre2/commit/50a51cb7e67268e6ad417eb07c9de9bfea5cc55a
7
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9---
10 ChangeLog | 3 +++
11 src/pcre2_jit_compile.c | 2 +-
12 src/pcre2_jit_test.c | 4 ++++
13 3 files changed, 8 insertions(+), 1 deletion(-)
14
15diff --git a/ChangeLog b/ChangeLog
16index 0926c29..b5d72dc 100644
17--- a/ChangeLog
18+++ b/ChangeLog
19@@ -1,6 +1,9 @@
20 Change Log for PCRE2
21 --------------------
22
23+23. Fixed a unicode properrty matching issue in JIT. The character was not
24+fully read in caseless matching.
25+
26
27 Version 10.34 21-November-2019
28 ------------------------------
29diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
30index f564127..5d43865 100644
31--- a/src/pcre2_jit_compile.c
32+++ b/src/pcre2_jit_compile.c
33@@ -7119,7 +7119,7 @@ while (*cc != XCL_END)
34 {
35 SLJIT_ASSERT(*cc == XCL_PROP || *cc == XCL_NOTPROP);
36 cc++;
37- if (*cc == PT_CLIST)
38+ if (*cc == PT_CLIST && *cc == XCL_PROP)
39 {
40 other_cases = PRIV(ucd_caseless_sets) + cc[1];
41 while (*other_cases != NOTACHAR)
42diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
43index a9b3880..9df87fd 100644
44--- a/src/pcre2_jit_test.c
45+++ b/src/pcre2_jit_test.c
46@@ -408,6 +408,10 @@ static struct regression_test_case regression_test_cases[] = {
47 { MUP, A, 0, 0 | F_PROPERTY, "[\xc3\xa2-\xc3\xa6\xc3\x81-\xc3\x84\xe2\x80\xa8-\xe2\x80\xa9\xe6\x92\xad\\p{Zs}]{2,}", "\xe2\x80\xa7\xe2\x80\xa9\xe6\x92\xad \xe6\x92\xae" },
48 { MUP, A, 0, 0 | F_PROPERTY, "[\\P{L&}]{2}[^\xc2\x85-\xc2\x89\\p{Ll}\\p{Lu}]{2}", "\xc3\xa9\xe6\x92\xad.a\xe6\x92\xad|\xc2\x8a#" },
49 { PCRE2_UCP, 0, 0, 0 | F_PROPERTY, "[a-b\\s]{2,5}[^a]", "AB baaa" },
50+ { MUP, 0, 0, 0 | F_NOMATCH, "[^\\p{Hangul}\\p{Z}]", " " },
51+ { MUP, 0, 0, 0, "[\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
52+ { MUP, 0, 0, 0, "[\\x{a92e}\\p{Lu}\\P{Latin}]+", "c\xEA\xA4\xAE,A,b" },
53+ { CMUP, 0, 0, 0, "[^S]\\B", "\xe2\x80\x8a" },
54
55 /* Possible empty brackets. */
56 { MU, A, 0, 0, "(?:|ab||bc|a)+d", "abcxabcabd" },
57--
582.25.1
59
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
new file mode 100644
index 0000000000..70f9f9f079
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-1587.patch
@@ -0,0 +1,660 @@
1From aa5aac0d209e3debf80fc2db924d9401fc50454b Mon Sep 17 00:00:00 2001
2From: Hitendra Prajapati <hprajapati@mvista.com>
3Date: Mon, 23 May 2022 14:11:11 +0530
4Subject: [PATCH] CVE-2022-1587
5
6Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/03654e751e7f0700693526b67dfcadda6b42c9d0]
7CVE: CVE-2022-1587
8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
9
10---
11 ChangeLog | 3 +
12 src/pcre2_jit_compile.c | 290 ++++++++++++++++++++++++++--------------
13 src/pcre2_jit_test.c | 1 +
14 3 files changed, 194 insertions(+), 100 deletions(-)
15
16diff --git a/ChangeLog b/ChangeLog
17index b5d72dc..de82de9 100644
18--- a/ChangeLog
19+++ b/ChangeLog
20@@ -4,6 +4,9 @@ Change Log for PCRE2
21 23. Fixed a unicode properrty matching issue in JIT. The character was not
22 fully read in caseless matching.
23
24+24. Fixed an issue affecting recursions in JIT caused by duplicated data
25+transfers.
26+
27
28 Version 10.34 21-November-2019
29 ------------------------------
30diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
31index 5d43865..493c96d 100644
32--- a/src/pcre2_jit_compile.c
33+++ b/src/pcre2_jit_compile.c
34@@ -407,6 +407,9 @@ typedef struct compiler_common {
35 /* Locals used by fast fail optimization. */
36 sljit_s32 fast_fail_start_ptr;
37 sljit_s32 fast_fail_end_ptr;
38+ /* Variables used by recursive call generator. */
39+ sljit_s32 recurse_bitset_size;
40+ uint8_t *recurse_bitset;
41
42 /* Flipped and lower case tables. */
43 const sljit_u8 *fcc;
44@@ -2109,19 +2112,39 @@ for (i = 0; i < RECURSE_TMP_REG_COUNT; i++)
45
46 #undef RECURSE_TMP_REG_COUNT
47
48+static BOOL recurse_check_bit(compiler_common *common, sljit_sw bit_index)
49+{
50+uint8_t *byte;
51+uint8_t mask;
52+
53+SLJIT_ASSERT((bit_index & (sizeof(sljit_sw) - 1)) == 0);
54+
55+bit_index >>= SLJIT_WORD_SHIFT;
56+
57+mask = 1 << (bit_index & 0x7);
58+byte = common->recurse_bitset + (bit_index >> 3);
59+
60+if (*byte & mask)
61+ return FALSE;
62+
63+*byte |= mask;
64+return TRUE;
65+}
66+
67 static int get_recurse_data_length(compiler_common *common, PCRE2_SPTR cc, PCRE2_SPTR ccend,
68 BOOL *needs_control_head, BOOL *has_quit, BOOL *has_accept)
69 {
70 int length = 1;
71-int size;
72+int size, offset;
73 PCRE2_SPTR alternative;
74 BOOL quit_found = FALSE;
75 BOOL accept_found = FALSE;
76 BOOL setsom_found = FALSE;
77 BOOL setmark_found = FALSE;
78-BOOL capture_last_found = FALSE;
79 BOOL control_head_found = FALSE;
80
81+memset(common->recurse_bitset, 0, common->recurse_bitset_size);
82+
83 #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
84 SLJIT_ASSERT(common->control_head_ptr != 0);
85 control_head_found = TRUE;
86@@ -2144,15 +2167,17 @@ while (cc < ccend)
87 setsom_found = TRUE;
88 if (common->mark_ptr != 0)
89 setmark_found = TRUE;
90- if (common->capture_last_ptr != 0)
91- capture_last_found = TRUE;
92+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
93+ length++;
94 cc += 1 + LINK_SIZE;
95 break;
96
97 case OP_KET:
98- if (PRIVATE_DATA(cc) != 0)
99+ offset = PRIVATE_DATA(cc);
100+ if (offset != 0)
101 {
102- length++;
103+ if (recurse_check_bit(common, offset))
104+ length++;
105 SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
106 cc += PRIVATE_DATA(cc + 1);
107 }
108@@ -2169,39 +2194,55 @@ while (cc < ccend)
109 case OP_SBRA:
110 case OP_SBRAPOS:
111 case OP_SCOND:
112- length++;
113 SLJIT_ASSERT(PRIVATE_DATA(cc) != 0);
114+ if (recurse_check_bit(common, PRIVATE_DATA(cc)))
115+ length++;
116 cc += 1 + LINK_SIZE;
117 break;
118
119 case OP_CBRA:
120 case OP_SCBRA:
121- length += 2;
122- if (common->capture_last_ptr != 0)
123- capture_last_found = TRUE;
124- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
125+ offset = GET2(cc, 1 + LINK_SIZE);
126+ if (recurse_check_bit(common, OVECTOR(offset << 1)))
127+ {
128+ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
129+ length += 2;
130+ }
131+ if (common->optimized_cbracket[offset] == 0 && recurse_check_bit(common, OVECTOR_PRIV(offset)))
132+ length++;
133+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
134 length++;
135 cc += 1 + LINK_SIZE + IMM2_SIZE;
136 break;
137
138 case OP_CBRAPOS:
139 case OP_SCBRAPOS:
140- length += 2 + 2;
141- if (common->capture_last_ptr != 0)
142- capture_last_found = TRUE;
143+ offset = GET2(cc, 1 + LINK_SIZE);
144+ if (recurse_check_bit(common, OVECTOR(offset << 1)))
145+ {
146+ SLJIT_ASSERT(recurse_check_bit(common, OVECTOR((offset << 1) + 1)));
147+ length += 2;
148+ }
149+ if (recurse_check_bit(common, OVECTOR_PRIV(offset)))
150+ length++;
151+ if (recurse_check_bit(common, PRIVATE_DATA(cc)))
152+ length++;
153+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
154+ length++;
155 cc += 1 + LINK_SIZE + IMM2_SIZE;
156 break;
157
158 case OP_COND:
159 /* Might be a hidden SCOND. */
160 alternative = cc + GET(cc, 1);
161- if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
162+ if ((*alternative == OP_KETRMAX || *alternative == OP_KETRMIN) && recurse_check_bit(common, PRIVATE_DATA(cc)))
163 length++;
164 cc += 1 + LINK_SIZE;
165 break;
166
167 CASE_ITERATOR_PRIVATE_DATA_1
168- if (PRIVATE_DATA(cc) != 0)
169+ offset = PRIVATE_DATA(cc);
170+ if (offset != 0 && recurse_check_bit(common, offset))
171 length++;
172 cc += 2;
173 #ifdef SUPPORT_UNICODE
174@@ -2210,8 +2251,12 @@ while (cc < ccend)
175 break;
176
177 CASE_ITERATOR_PRIVATE_DATA_2A
178- if (PRIVATE_DATA(cc) != 0)
179+ offset = PRIVATE_DATA(cc);
180+ if (offset != 0 && recurse_check_bit(common, offset))
181+ {
182+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
183 length += 2;
184+ }
185 cc += 2;
186 #ifdef SUPPORT_UNICODE
187 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
188@@ -2219,8 +2264,12 @@ while (cc < ccend)
189 break;
190
191 CASE_ITERATOR_PRIVATE_DATA_2B
192- if (PRIVATE_DATA(cc) != 0)
193+ offset = PRIVATE_DATA(cc);
194+ if (offset != 0 && recurse_check_bit(common, offset))
195+ {
196+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
197 length += 2;
198+ }
199 cc += 2 + IMM2_SIZE;
200 #ifdef SUPPORT_UNICODE
201 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
202@@ -2228,20 +2277,29 @@ while (cc < ccend)
203 break;
204
205 CASE_ITERATOR_TYPE_PRIVATE_DATA_1
206- if (PRIVATE_DATA(cc) != 0)
207+ offset = PRIVATE_DATA(cc);
208+ if (offset != 0 && recurse_check_bit(common, offset))
209 length++;
210 cc += 1;
211 break;
212
213 CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
214- if (PRIVATE_DATA(cc) != 0)
215+ offset = PRIVATE_DATA(cc);
216+ if (offset != 0 && recurse_check_bit(common, offset))
217+ {
218+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
219 length += 2;
220+ }
221 cc += 1;
222 break;
223
224 CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
225- if (PRIVATE_DATA(cc) != 0)
226+ offset = PRIVATE_DATA(cc);
227+ if (offset != 0 && recurse_check_bit(common, offset))
228+ {
229+ SLJIT_ASSERT(recurse_check_bit(common, offset + sizeof(sljit_sw)));
230 length += 2;
231+ }
232 cc += 1 + IMM2_SIZE;
233 break;
234
235@@ -2253,7 +2311,9 @@ while (cc < ccend)
236 #else
237 size = 1 + 32 / (int)sizeof(PCRE2_UCHAR);
238 #endif
239- if (PRIVATE_DATA(cc) != 0)
240+
241+ offset = PRIVATE_DATA(cc);
242+ if (offset != 0 && recurse_check_bit(common, offset))
243 length += get_class_iterator_size(cc + size);
244 cc += size;
245 break;
246@@ -2288,8 +2348,7 @@ while (cc < ccend)
247 case OP_THEN:
248 SLJIT_ASSERT(common->control_head_ptr != 0);
249 quit_found = TRUE;
250- if (!control_head_found)
251- control_head_found = TRUE;
252+ control_head_found = TRUE;
253 cc++;
254 break;
255
256@@ -2309,8 +2368,6 @@ SLJIT_ASSERT(cc == ccend);
257
258 if (control_head_found)
259 length++;
260-if (capture_last_found)
261- length++;
262 if (quit_found)
263 {
264 if (setsom_found)
265@@ -2343,14 +2400,12 @@ sljit_sw shared_srcw[3];
266 sljit_sw kept_shared_srcw[2];
267 int private_count, shared_count, kept_shared_count;
268 int from_sp, base_reg, offset, i;
269-BOOL setsom_found = FALSE;
270-BOOL setmark_found = FALSE;
271-BOOL capture_last_found = FALSE;
272-BOOL control_head_found = FALSE;
273+
274+memset(common->recurse_bitset, 0, common->recurse_bitset_size);
275
276 #if defined DEBUG_FORCE_CONTROL_HEAD && DEBUG_FORCE_CONTROL_HEAD
277 SLJIT_ASSERT(common->control_head_ptr != 0);
278-control_head_found = TRUE;
279+recurse_check_bit(common, common->control_head_ptr);
280 #endif
281
282 switch (type)
283@@ -2438,11 +2493,10 @@ while (cc < ccend)
284 {
285 case OP_SET_SOM:
286 SLJIT_ASSERT(common->has_set_som);
287- if (has_quit && !setsom_found)
288+ if (has_quit && recurse_check_bit(common, OVECTOR(0)))
289 {
290 kept_shared_srcw[0] = OVECTOR(0);
291 kept_shared_count = 1;
292- setsom_found = TRUE;
293 }
294 cc += 1;
295 break;
296@@ -2450,33 +2504,31 @@ while (cc < ccend)
297 case OP_RECURSE:
298 if (has_quit)
299 {
300- if (common->has_set_som && !setsom_found)
301+ if (common->has_set_som && recurse_check_bit(common, OVECTOR(0)))
302 {
303 kept_shared_srcw[0] = OVECTOR(0);
304 kept_shared_count = 1;
305- setsom_found = TRUE;
306 }
307- if (common->mark_ptr != 0 && !setmark_found)
308+ if (common->mark_ptr != 0 && recurse_check_bit(common, common->mark_ptr))
309 {
310 kept_shared_srcw[kept_shared_count] = common->mark_ptr;
311 kept_shared_count++;
312- setmark_found = TRUE;
313 }
314 }
315- if (common->capture_last_ptr != 0 && !capture_last_found)
316+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
317 {
318 shared_srcw[0] = common->capture_last_ptr;
319 shared_count = 1;
320- capture_last_found = TRUE;
321 }
322 cc += 1 + LINK_SIZE;
323 break;
324
325 case OP_KET:
326- if (PRIVATE_DATA(cc) != 0)
327+ private_srcw[0] = PRIVATE_DATA(cc);
328+ if (private_srcw[0] != 0)
329 {
330- private_count = 1;
331- private_srcw[0] = PRIVATE_DATA(cc);
332+ if (recurse_check_bit(common, private_srcw[0]))
333+ private_count = 1;
334 SLJIT_ASSERT(PRIVATE_DATA(cc + 1) != 0);
335 cc += PRIVATE_DATA(cc + 1);
336 }
337@@ -2493,50 +2545,66 @@ while (cc < ccend)
338 case OP_SBRA:
339 case OP_SBRAPOS:
340 case OP_SCOND:
341- private_count = 1;
342 private_srcw[0] = PRIVATE_DATA(cc);
343+ if (recurse_check_bit(common, private_srcw[0]))
344+ private_count = 1;
345 cc += 1 + LINK_SIZE;
346 break;
347
348 case OP_CBRA:
349 case OP_SCBRA:
350- offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
351- shared_srcw[0] = OVECTOR(offset);
352- shared_srcw[1] = OVECTOR(offset + 1);
353- shared_count = 2;
354+ offset = GET2(cc, 1 + LINK_SIZE);
355+ shared_srcw[0] = OVECTOR(offset << 1);
356+ if (recurse_check_bit(common, shared_srcw[0]))
357+ {
358+ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
359+ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
360+ shared_count = 2;
361+ }
362
363- if (common->capture_last_ptr != 0 && !capture_last_found)
364+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
365 {
366- shared_srcw[2] = common->capture_last_ptr;
367- shared_count = 3;
368- capture_last_found = TRUE;
369+ shared_srcw[shared_count] = common->capture_last_ptr;
370+ shared_count++;
371 }
372
373- if (common->optimized_cbracket[GET2(cc, 1 + LINK_SIZE)] == 0)
374+ if (common->optimized_cbracket[offset] == 0)
375 {
376- private_count = 1;
377- private_srcw[0] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
378+ private_srcw[0] = OVECTOR_PRIV(offset);
379+ if (recurse_check_bit(common, private_srcw[0]))
380+ private_count = 1;
381 }
382+
383 cc += 1 + LINK_SIZE + IMM2_SIZE;
384 break;
385
386 case OP_CBRAPOS:
387 case OP_SCBRAPOS:
388- offset = (GET2(cc, 1 + LINK_SIZE)) << 1;
389- shared_srcw[0] = OVECTOR(offset);
390- shared_srcw[1] = OVECTOR(offset + 1);
391- shared_count = 2;
392+ offset = GET2(cc, 1 + LINK_SIZE);
393+ shared_srcw[0] = OVECTOR(offset << 1);
394+ if (recurse_check_bit(common, shared_srcw[0]))
395+ {
396+ shared_srcw[1] = shared_srcw[0] + sizeof(sljit_sw);
397+ SLJIT_ASSERT(recurse_check_bit(common, shared_srcw[1]));
398+ shared_count = 2;
399+ }
400
401- if (common->capture_last_ptr != 0 && !capture_last_found)
402+ if (common->capture_last_ptr != 0 && recurse_check_bit(common, common->capture_last_ptr))
403 {
404- shared_srcw[2] = common->capture_last_ptr;
405- shared_count = 3;
406- capture_last_found = TRUE;
407+ shared_srcw[shared_count] = common->capture_last_ptr;
408+ shared_count++;
409 }
410
411- private_count = 2;
412 private_srcw[0] = PRIVATE_DATA(cc);
413- private_srcw[1] = OVECTOR_PRIV(GET2(cc, 1 + LINK_SIZE));
414+ if (recurse_check_bit(common, private_srcw[0]))
415+ private_count = 1;
416+
417+ offset = OVECTOR_PRIV(offset);
418+ if (recurse_check_bit(common, offset))
419+ {
420+ private_srcw[private_count] = offset;
421+ private_count++;
422+ }
423 cc += 1 + LINK_SIZE + IMM2_SIZE;
424 break;
425
426@@ -2545,18 +2613,17 @@ while (cc < ccend)
427 alternative = cc + GET(cc, 1);
428 if (*alternative == OP_KETRMAX || *alternative == OP_KETRMIN)
429 {
430- private_count = 1;
431 private_srcw[0] = PRIVATE_DATA(cc);
432+ if (recurse_check_bit(common, private_srcw[0]))
433+ private_count = 1;
434 }
435 cc += 1 + LINK_SIZE;
436 break;
437
438 CASE_ITERATOR_PRIVATE_DATA_1
439- if (PRIVATE_DATA(cc))
440- {
441+ private_srcw[0] = PRIVATE_DATA(cc);
442+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
443 private_count = 1;
444- private_srcw[0] = PRIVATE_DATA(cc);
445- }
446 cc += 2;
447 #ifdef SUPPORT_UNICODE
448 if (common->utf && HAS_EXTRALEN(cc[-1])) cc += GET_EXTRALEN(cc[-1]);
449@@ -2564,11 +2631,12 @@ while (cc < ccend)
450 break;
451
452 CASE_ITERATOR_PRIVATE_DATA_2A
453- if (PRIVATE_DATA(cc))
454+ private_srcw[0] = PRIVATE_DATA(cc);
455+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
456 {
457 private_count = 2;
458- private_srcw[0] = PRIVATE_DATA(cc);
459- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
460+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
461+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
462 }
463 cc += 2;
464 #ifdef SUPPORT_UNICODE
465@@ -2577,11 +2645,12 @@ while (cc < ccend)
466 break;
467
468 CASE_ITERATOR_PRIVATE_DATA_2B
469- if (PRIVATE_DATA(cc))
470+ private_srcw[0] = PRIVATE_DATA(cc);
471+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
472 {
473 private_count = 2;
474- private_srcw[0] = PRIVATE_DATA(cc);
475- private_srcw[1] = PRIVATE_DATA(cc) + sizeof(sljit_sw);
476+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
477+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
478 }
479 cc += 2 + IMM2_SIZE;
480 #ifdef SUPPORT_UNICODE
481@@ -2590,30 +2659,30 @@ while (cc < ccend)
482 break;
483
484 CASE_ITERATOR_TYPE_PRIVATE_DATA_1
485- if (PRIVATE_DATA(cc))
486- {
487+ private_srcw[0] = PRIVATE_DATA(cc);
488+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
489 private_count = 1;
490- private_srcw[0] = PRIVATE_DATA(cc);
491- }
492 cc += 1;
493 break;
494
495 CASE_ITERATOR_TYPE_PRIVATE_DATA_2A
496- if (PRIVATE_DATA(cc))
497+ private_srcw[0] = PRIVATE_DATA(cc);
498+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
499 {
500 private_count = 2;
501- private_srcw[0] = PRIVATE_DATA(cc);
502 private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
503+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
504 }
505 cc += 1;
506 break;
507
508 CASE_ITERATOR_TYPE_PRIVATE_DATA_2B
509- if (PRIVATE_DATA(cc))
510+ private_srcw[0] = PRIVATE_DATA(cc);
511+ if (private_srcw[0] != 0 && recurse_check_bit(common, private_srcw[0]))
512 {
513 private_count = 2;
514- private_srcw[0] = PRIVATE_DATA(cc);
515 private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
516+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
517 }
518 cc += 1 + IMM2_SIZE;
519 break;
520@@ -2630,14 +2699,17 @@ while (cc < ccend)
521 switch(get_class_iterator_size(cc + i))
522 {
523 case 1:
524- private_count = 1;
525 private_srcw[0] = PRIVATE_DATA(cc);
526 break;
527
528 case 2:
529- private_count = 2;
530 private_srcw[0] = PRIVATE_DATA(cc);
531- private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
532+ if (recurse_check_bit(common, private_srcw[0]))
533+ {
534+ private_count = 2;
535+ private_srcw[1] = private_srcw[0] + sizeof(sljit_sw);
536+ SLJIT_ASSERT(recurse_check_bit(common, private_srcw[1]));
537+ }
538 break;
539
540 default:
541@@ -2652,28 +2724,25 @@ while (cc < ccend)
542 case OP_PRUNE_ARG:
543 case OP_THEN_ARG:
544 SLJIT_ASSERT(common->mark_ptr != 0);
545- if (has_quit && !setmark_found)
546+ if (has_quit && recurse_check_bit(common, common->mark_ptr))
547 {
548 kept_shared_srcw[0] = common->mark_ptr;
549 kept_shared_count = 1;
550- setmark_found = TRUE;
551 }
552- if (common->control_head_ptr != 0 && !control_head_found)
553+ if (common->control_head_ptr != 0 && recurse_check_bit(common, common->control_head_ptr))
554 {
555 shared_srcw[0] = common->control_head_ptr;
556 shared_count = 1;
557- control_head_found = TRUE;
558 }
559 cc += 1 + 2 + cc[1];
560 break;
561
562 case OP_THEN:
563 SLJIT_ASSERT(common->control_head_ptr != 0);
564- if (!control_head_found)
565+ if (recurse_check_bit(common, common->control_head_ptr))
566 {
567 shared_srcw[0] = common->control_head_ptr;
568 shared_count = 1;
569- control_head_found = TRUE;
570 }
571 cc++;
572 break;
573@@ -2681,7 +2750,7 @@ while (cc < ccend)
574 default:
575 cc = next_opcode(common, cc);
576 SLJIT_ASSERT(cc != NULL);
577- break;
578+ continue;
579 }
580
581 if (type != recurse_copy_shared_to_global && type != recurse_copy_kept_shared_to_global)
582@@ -13262,7 +13331,7 @@ SLJIT_ASSERT(!(common->req_char_ptr != 0 && common->start_used_ptr != 0));
583 common->cbra_ptr = OVECTOR_START + (re->top_bracket + 1) * 2 * sizeof(sljit_sw);
584
585 total_length = ccend - common->start;
586-common->private_data_ptrs = (sljit_s32 *)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
587+common->private_data_ptrs = (sljit_s32*)SLJIT_MALLOC(total_length * (sizeof(sljit_s32) + (common->has_then ? 1 : 0)), allocator_data);
588 if (!common->private_data_ptrs)
589 {
590 SLJIT_FREE(common->optimized_cbracket, allocator_data);
591@@ -13304,6 +13373,7 @@ if (!compiler)
592 common->compiler = compiler;
593
594 /* Main pcre_jit_exec entry. */
595+LJIT_ASSERT((private_data_size & (sizeof(sljit_sw) - 1)) == 0);
596 sljit_emit_enter(compiler, 0, SLJIT_ARG1(SW), 5, 5, 0, 0, private_data_size);
597
598 /* Register init. */
599@@ -13524,20 +13594,40 @@ common->fast_fail_end_ptr = 0;
600 common->currententry = common->entries;
601 common->local_quit_available = TRUE;
602 quit_label = common->quit_label;
603-while (common->currententry != NULL)
604+if (common->currententry != NULL)
605 {
606- /* Might add new entries. */
607- compile_recurse(common);
608- if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
609+ /* A free bit for each private data. */
610+ common->recurse_bitset_size = ((private_data_size / (int)sizeof(sljit_sw)) + 7) >> 3;
611+ SLJIT_ASSERT(common->recurse_bitset_size > 0);
612+ common->recurse_bitset = (sljit_u8*)SLJIT_MALLOC(common->recurse_bitset_size, allocator_data);;
613+
614+ if (common->recurse_bitset != NULL)
615+ {
616+ do
617+ {
618+ /* Might add new entries. */
619+ compile_recurse(common);
620+ if (SLJIT_UNLIKELY(sljit_get_compiler_error(compiler)))
621+ break;
622+ flush_stubs(common);
623+ common->currententry = common->currententry->next;
624+ }
625+ while (common->currententry != NULL);
626+
627+ SLJIT_FREE(common->recurse_bitset, allocator_data);
628+ }
629+
630+ if (common->currententry != NULL)
631 {
632+ /* The common->recurse_bitset has been freed. */
633+ SLJIT_ASSERT(sljit_get_compiler_error(compiler) || common->recurse_bitset == NULL);
634+
635 sljit_free_compiler(compiler);
636 SLJIT_FREE(common->optimized_cbracket, allocator_data);
637 SLJIT_FREE(common->private_data_ptrs, allocator_data);
638 PRIV(jit_free_rodata)(common->read_only_data_head, allocator_data);
639 return PCRE2_ERROR_NOMEMORY;
640 }
641- flush_stubs(common);
642- common->currententry = common->currententry->next;
643 }
644 common->local_quit_available = FALSE;
645 common->quit_label = quit_label;
646diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
647index 9df87fd..2f84834 100644
648--- a/src/pcre2_jit_test.c
649+++ b/src/pcre2_jit_test.c
650@@ -746,6 +746,7 @@ static struct regression_test_case regression_test_cases[] = {
651 { MU, A, 0, 0, "((?(R)a|(?1)){1,3}?)M", "aaaM" },
652 { MU, A, 0, 0, "((.)(?:.|\\2(?1))){0}#(?1)#", "#aabbccdde# #aabbccddee#" },
653 { MU, A, 0, 0, "((.)(?:\\2|\\2{4}b)){0}#(?:(?1))+#", "#aaaab# #aaaaab#" },
654+ { MU, A, 0, 0 | F_NOMATCH, "(?1)$((.|\\2xx){1,2})", "abc" },
655
656 /* 16 bit specific tests. */
657 { CM, A, 0, 0 | F_FORCECONV, "\xc3\xa1", "\xc3\x81\xc3\xa1" },
658--
6592.25.1
660
diff --git a/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
new file mode 100644
index 0000000000..882277ae73
--- /dev/null
+++ b/meta/recipes-support/libpcre/libpcre2/CVE-2022-41409.patch
@@ -0,0 +1,74 @@
1From 94e1c001761373b7d9450768aa15d04c25547a35 Mon Sep 17 00:00:00 2001
2From: Philip Hazel <Philip.Hazel@gmail.com>
3Date: Tue, 16 Aug 2022 17:00:45 +0100
4Subject: [PATCH] Diagnose negative repeat value in pcre2test subject line
5
6CVE: CVE-2022-41409
7Upstream-Status: Backport [https://github.com/PCRE2Project/pcre2/commit/94e1c001761373b7d9450768aa15d04c25547a35]
8
9Signed-off-by: Peter Marko <peter.marko@siemens.com>
10
11---
12 ChangeLog | 3 +++
13 src/pcre2test.c | 4 ++--
14 testdata/testinput2 | 3 +++
15 testdata/testoutput2 | 4 ++++
16 4 files changed, 12 insertions(+), 2 deletions(-)
17
18diff --git a/ChangeLog b/ChangeLog
19index eab50eb7..276eb57a 100644
20--- a/ChangeLog
21+++ b/ChangeLog
22@@ -7,6 +7,9 @@ fully read in caseless matching.
23 24. Fixed an issue affecting recursions in JIT caused by duplicated data
24 transfers.
25
26+20. A negative repeat value in a pcre2test subject line was not being
27+diagnosed, leading to infinite looping.
28+
29
30 Version 10.34 21-November-2019
31 ------------------------------
32diff --git a/src/pcre2test.c b/src/pcre2test.c
33index 08f86096..f6f5d66c 100644
34--- a/src/pcre2test.c
35+++ b/src/pcre2test.c
36@@ -6700,9 +6700,9 @@ while ((c = *p++) != 0)
37 }
38
39 i = (int32_t)li;
40- if (i-- == 0)
41+ if (i-- <= 0)
42 {
43- fprintf(outfile, "** Zero repeat not allowed\n");
44+ fprintf(outfile, "** Zero or negative repeat not allowed\n");
45 return PR_OK;
46 }
47
48diff --git a/testdata/testinput2 b/testdata/testinput2
49index 655e519..14e00ed 100644
50--- a/testdata/testinput2
51+++ b/testdata/testinput2
52@@ -5772,4 +5772,7 @@ a)"xI
53 /(a)?a/I
54 manm
55
56+--
57+ \[X]{-10}
58+
59 # End of testinput2
60diff --git a/testdata/testoutput2 b/testdata/testoutput2
61index c733c12..958f246 100644
62--- a/testdata/testoutput2
63+++ b/testdata/testoutput2
64@@ -17435,6 +17435,10 @@ Subject length lower bound = 1
65 manm
66 0: a
67
68+--
69+ \[X]{-10}
70+** Zero or negative repeat not allowed
71+
72 # End of testinput2
73 Error -70: PCRE2_ERROR_BADDATA (unknown error number)
74 Error -62: bad serialized data
diff --git a/meta/recipes-support/libpcre/libpcre2_10.34.bb b/meta/recipes-support/libpcre/libpcre2_10.34.bb
index fa8655e027..53277270d2 100644
--- a/meta/recipes-support/libpcre/libpcre2_10.34.bb
+++ b/meta/recipes-support/libpcre/libpcre2_10.34.bb
@@ -10,8 +10,12 @@ SECTION = "devel"
10LICENSE = "BSD-3-Clause" 10LICENSE = "BSD-3-Clause"
11LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37" 11LIC_FILES_CHKSUM = "file://LICENCE;md5=b1588d3bb4cb0e1f5a597d908f8c5b37"
12 12
13SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre2-${PV}.tar.bz2 \ 13SRC_URI = "http://downloads.yoctoproject.org/mirror/sources/pcre2-${PV}.tar.bz2 \
14 file://pcre-cross.patch \ 14 file://pcre-cross.patch \
15 file://CVE-2022-1586.patch \
16 file://CVE-2022-1586-regression.patch \
17 file://CVE-2022-1587.patch \
18 file://CVE-2022-41409.patch \
15" 19"
16 20
17SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366" 21SRC_URI[md5sum] = "d280b62ded13f9ccf2fac16ee5286366"
diff --git a/meta/recipes-support/libpcre/libpcre_8.44.bb b/meta/recipes-support/libpcre/libpcre_8.44.bb
index e5471e81da..3267c5ad72 100644
--- a/meta/recipes-support/libpcre/libpcre_8.44.bb
+++ b/meta/recipes-support/libpcre/libpcre_8.44.bb
@@ -7,8 +7,7 @@ HOMEPAGE = "http://www.pcre.org"
7SECTION = "devel" 7SECTION = "devel"
8LICENSE = "BSD-3-Clause" 8LICENSE = "BSD-3-Clause"
9LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e" 9LIC_FILES_CHKSUM = "file://LICENCE;md5=3bb381a66a5385b246d4877922e7511e"
10SRC_URI = "https://ftp.pcre.org/pub/pcre/pcre-${PV}.tar.bz2 \ 10SRC_URI = "${SOURCEFORGE_MIRROR}/pcre/pcre-${PV}.tar.bz2 \
11 file://fix-pcre-name-collision.patch \
12 file://run-ptest \ 11 file://run-ptest \
13 file://Makefile \ 12 file://Makefile \
14 " 13 "
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-04-27 06:31:12 +0000