libpcre2-10.23: Fix CVE-2017-8786 The pcre2test.c in PCRE2 10.23 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted regular expression. Upstream-Status: Backport [https://vcs.pcre.org/pcre2/code/trunk/src/pcre2test.c?r1=692&r2=697&view=patch] CVE: CVE-2017-8786 Signed-off-by: Robert Yang --- trunk/src/pcre2test.c 2017/03/21 16:18:54 692 +++ trunk/src/pcre2test.c 2017/03/21 18:36:13 697 @@ -1017,9 +1017,9 @@ if (test_mode == PCRE8_MODE) \ r = pcre2_get_error_message_8(a,G(b,8),G(G(b,8),_size)); \ else if (test_mode == PCRE16_MODE) \ - r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)); \ + r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)); \ else \ - r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) + r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) #define PCRE2_GET_OVECTOR_COUNT(a,b) \ if (test_mode == PCRE8_MODE) \ @@ -1399,6 +1399,9 @@ /* ----- Common macros for two-mode cases ----- */ +#define BYTEONE (BITONE/8) +#define BYTETWO (BITTWO/8) + #define CASTFLD(t,a,b) \ ((test_mode == G(G(PCRE,BITONE),_MODE))? (t)(G(a,BITONE)->b) : \ (t)(G(a,BITTWO)->b)) @@ -1481,9 +1484,9 @@ #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ if (test_mode == G(G(PCRE,BITONE),_MODE)) \ - r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size)); \ + r = G(pcre2_get_error_message_,BITONE)(a,G(b,BITONE),G(G(b,BITONE),_size/BYTEONE)); \ else \ - r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size)) + r = G(pcre2_get_error_message_,BITTWO)(a,G(b,BITTWO),G(G(b,BITTWO),_size/BYTETWO)) #define PCRE2_GET_OVECTOR_COUNT(a,b) \ if (test_mode == G(G(PCRE,BITONE),_MODE)) \ @@ -1904,7 +1907,7 @@ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ a = pcre2_dfa_match_16(G(b,16),(PCRE2_SPTR16)c,d,e,f,G(g,16),h,i,j) #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ - r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size)) + r = pcre2_get_error_message_16(a,G(b,16),G(G(b,16),_size/2)) #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_16(G(b,16)) #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_16(G(b,16)) #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_16(G(a,16),b) @@ -2000,7 +2003,7 @@ #define PCRE2_DFA_MATCH(a,b,c,d,e,f,g,h,i,j) \ a = pcre2_dfa_match_32(G(b,32),(PCRE2_SPTR32)c,d,e,f,G(g,32),h,i,j) #define PCRE2_GET_ERROR_MESSAGE(r,a,b) \ - r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size)) + r = pcre2_get_error_message_32(a,G(b,32),G(G(b,32),_size/4)) #define PCRE2_GET_OVECTOR_COUNT(a,b) a = pcre2_get_ovector_count_32(G(b,32)) #define PCRE2_GET_STARTCHAR(a,b) a = pcre2_get_startchar_32(G(b,32)) #define PCRE2_JIT_COMPILE(r,a,b) r = pcre2_jit_compile_32(G(a,32),b) @@ -2889,7 +2892,7 @@ { if (pbuffer32 != NULL) free(pbuffer32); pbuffer32_size = 4*len + 4; - if (pbuffer32_size < 256) pbuffer32_size = 256; + if (pbuffer32_size < 512) pbuffer32_size = 512; pbuffer32 = (uint32_t *)malloc(pbuffer32_size); if (pbuffer32 == NULL) { @@ -7600,7 +7603,8 @@ int errcode; char *endptr; -/* Ensure the relevant non-8-bit buffer is available. */ +/* Ensure the relevant non-8-bit buffer is available. Ensure that it is at +least 128 code units, because it is used for retrieving error messages. */ #ifdef SUPPORT_PCRE2_16 if (test_mode == PCRE16_MODE) @@ -7620,7 +7624,7 @@ #ifdef SUPPORT_PCRE2_32 if (test_mode == PCRE32_MODE) { - pbuffer32_size = 256; + pbuffer32_size = 512; pbuffer32 = (uint32_t *)malloc(pbuffer32_size); if (pbuffer32 == NULL) {