fix RE vulnerabilities (CVE-2007-(4770|4771)), patch from redhat

via Gentoo bug #208001,
bump PKGREVISION

8 files changed, 322 insertions, 3 deletions

diff --git a/textproc/icu/Makefile b/textproc/icu/Makefile
index 0c8d83341d3..11ed8c22020 100644
--- a/textproc/icu/Makefile
+++ b/textproc/icu/Makefile
@@ -1,9 +1,9 @@
-# $NetBSD: Makefile,v 1.53 2007/03/31 15:36:57 obache Exp $
+# $NetBSD: Makefile,v 1.54 2008/03/20 17:07:54 drochner Exp $
 #
 
 DISTNAME=	icu4c-3_6-src
 PKGNAME=	icu-3.6
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	ftp://ftp.software.ibm.com/software/globalization/icu/${PKGVERSION}/
 EXTRACT_SUFX=	.tgz
diff --git a/textproc/icu/distinfo b/textproc/icu/distinfo
index c71265cbe98..e771c1a2bfe 100644
--- a/textproc/icu/distinfo
+++ b/textproc/icu/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.14 2007/03/23 12:51:13 recht Exp $
+$NetBSD: distinfo,v 1.15 2008/03/20 17:07:54 drochner Exp $
 
 SHA1 (icu4c-3_6-src.tgz) = b580c2802e74eb6af7e5e19b05c7d7c5d8c623f9
 RMD160 (icu4c-3_6-src.tgz) = b227ac9ff6019362bc4d01c18433869b0e0ff1c2
@@ -7,3 +7,9 @@ SHA1 (patch-aa) = b7299b3aac54410cb686980788dd0b6b435ae069
 SHA1 (patch-ab) = 32d2aeb38ed84352751d0f3d8db5d8b433ef03e4
 SHA1 (patch-ae) = 69caf7c0c226a0b45158a9620f045e943f00b820
 SHA1 (patch-af) = df50984a17111a69c517b26f303866f2d384e857
+SHA1 (patch-ba) = d22f39715b85fe73654b644237d1956091fb26e8
+SHA1 (patch-bb) = 57683caee8c4bb2743332847f78566d5a3934e80
+SHA1 (patch-bc) = 9fd76fb53c7a464883fe5cc21ffbc5b5ac117711
+SHA1 (patch-bd) = 197017d9fb0a6a542e567cfae4512bc38a25ff79
+SHA1 (patch-be) = 9cb76ab05393b8d698c2b77b58b3db6c7b0b199c
+SHA1 (patch-bf) = d03b55651686aeab965747c400753c8b7b643d80
diff --git a/textproc/icu/patches/patch-ba b/textproc/icu/patches/patch-ba
new file mode 100644
index 00000000000..064e925508a
--- /dev/null
+++ b/textproc/icu/patches/patch-ba
@@ -0,0 +1,89 @@
+$NetBSD: patch-ba,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.cpp.orig	2003-08-27 03:01:30.000000000 +0200
++++ common/uvectr32.cpp
+@@ -1,6 +1,6 @@
+ /*
+ ******************************************************************************
+-* Copyright (C) 1999-2003, International Business Machines Corporation and   *
++* Copyright (C) 1999-2008, International Business Machines Corporation and   *
+ * others. All Rights Reserved.                                               *
+ ******************************************************************************
+ *   Date        Name        Description
+@@ -26,6 +26,7 @@ UOBJECT_DEFINE_RTTI_IMPLEMENTATION(UVect
+ UVector32::UVector32(UErrorCode &status) :
+     count(0),
+     capacity(0),
++    maxCapacity(0),
+     elements(NULL)
+ {
+     _init(DEFUALT_CAPACITY, status);
+@@ -34,6 +35,7 @@ UVector32::UVector32(UErrorCode &status)
+ UVector32::UVector32(int32_t initialCapacity, UErrorCode &status) :
+     count(0),
+     capacity(0),
++    maxCapacity(0),
+     elements(0)
+ {
+     _init(initialCapacity, status);
+@@ -46,6 +48,9 @@ void UVector32::_init(int32_t initialCap
+     if (initialCapacity < 1) {
+         initialCapacity = DEFUALT_CAPACITY;
+     }
++    if (maxCapacity>0 && maxCapacity<initialCapacity) {
++        initialCapacity = maxCapacity;
++    }
+     elements = (int32_t *)uprv_malloc(sizeof(int32_t)*initialCapacity);
+     if (elements == 0) {
+         status = U_MEMORY_ALLOCATION_ERROR;
+@@ -189,21 +194,35 @@ int32_t UVector32::indexOf(int32_t key, 
+ UBool UVector32::expandCapacity(int32_t minimumCapacity, UErrorCode &status) {
+     if (capacity >= minimumCapacity) {
+         return TRUE;
+-    } else {
+-        int32_t newCap = capacity * 2;
+-        if (newCap < minimumCapacity) {
+-            newCap = minimumCapacity;
+-        }
+-        int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
+-        if (newElems == 0) {
+-            status = U_MEMORY_ALLOCATION_ERROR;
+-            return FALSE;
+-        }
+-        uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
+-        uprv_free(elements);
+-        elements = newElems;
+-        capacity = newCap;
+-        return TRUE;
++    }
++    if (maxCapacity>0 && minimumCapacity>maxCapacity) {
++        status = U_BUFFER_OVERFLOW_ERROR;
++        return FALSE;
++    }
++    int32_t newCap = capacity * 2;
++    if (newCap < minimumCapacity) {
++        newCap = minimumCapacity;
++    }
++    if (maxCapacity > 0 && newCap > maxCapacity) {
++        newCap = maxCapacity;
++    }
++    int32_t* newElems = (int32_t *)uprv_malloc(sizeof(int32_t)*newCap);
++    if (newElems == 0) {
++        status = U_MEMORY_ALLOCATION_ERROR;
++        return FALSE;
++    }
++    uprv_memcpy(newElems, elements, sizeof(elements[0]) * count);
++    uprv_free(elements);
++    elements = newElems;
++    capacity = newCap;
++    return TRUE;
++}
++
++void UVector32::setMaxCapacity(int32_t limit) {
++    U_ASSERT(limit >= 0);
++    maxCapacity = limit;
++    if (maxCapacity < 0) {
++        maxCapacity = 0;
+     }
+ }
+ 
diff --git a/textproc/icu/patches/patch-bb b/textproc/icu/patches/patch-bb
new file mode 100644
index 00000000000..6afdd72306c
--- /dev/null
+++ b/textproc/icu/patches/patch-bb
@@ -0,0 +1,47 @@
+$NetBSD: patch-bb,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- common/uvectr32.h.orig	2006-01-18 04:52:04.000000000 +0100
++++ common/uvectr32.h
+@@ -1,6 +1,6 @@
+ /*
+ **********************************************************************
+-*   Copyright (C) 1999-2006, International Business Machines
++*   Copyright (C) 1999-2008, International Business Machines
+ *   Corporation and others.  All Rights Reserved.
+ **********************************************************************
+ */
+@@ -61,6 +61,8 @@ private:
+     int32_t   count;
+ 
+     int32_t   capacity;
++    
++    int32_t   maxCapacity;   // Limit beyond which capacity is not permitted to grow.
+ 
+     int32_t*  elements;
+ 
+@@ -162,6 +164,14 @@ public:
+     int32_t *getBuffer() const;
+ 
+     /**
++     * Set the maximum allowed buffer capacity for this vector/stack.
++     * Default with no limit set is unlimited, go until malloc() fails.
++     * A Limit of zero means unlimited capacity.
++     * Units are vector elements (32 bits each), not bytes.
++     */
++    void setMaxCapacity(int32_t limit);
++
++    /**
+      * ICU "poor man's RTTI", returns a UClassID for this class.
+      */
+     static UClassID U_EXPORT2 getStaticClassID();
+@@ -221,7 +231,9 @@ inline void UVector32::addElement(int32_
+ }
+ 
+ inline int32_t *UVector32::reserveBlock(int32_t size, UErrorCode &status) {
+-    ensureCapacity(count+size, status);
++    if (ensureCapacity(count+size, status) == FALSE) {
++        return NULL;
++    }
+     int32_t  *rp = elements+count;
+     count += size;
+     return rp;
diff --git a/textproc/icu/patches/patch-bc b/textproc/icu/patches/patch-bc
new file mode 100644
index 00000000000..1798d18abcb
--- /dev/null
+++ b/textproc/icu/patches/patch-bc
@@ -0,0 +1,28 @@
+$NetBSD: patch-bc,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/regexcmp.cpp.orig	2006-02-02 05:37:14.000000000 +0100
++++ i18n/regexcmp.cpp
+@@ -1187,14 +1187,17 @@ UBool RegexCompile::doParseActions(EPars
+             // Because capture groups can be forward-referenced by back-references,
+             //  we fill the operand with the capture group number.  At the end
+             //  of compilation, it will be changed to the variable's location.
+-            U_ASSERT(groupNum > 0);
+-            int32_t  op;
+-            if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
+-                op = URX_BUILD(URX_BACKREF_I, groupNum);
++            if (groupNum < 1) { 
++                error(U_REGEX_INVALID_BACK_REF);
+             } else {
+-                op = URX_BUILD(URX_BACKREF, groupNum);
++                int32_t  op;
++                if (fModeFlags & UREGEX_CASE_INSENSITIVE) {
++                    op = URX_BUILD(URX_BACKREF_I, groupNum);
++                } else {
++                    op = URX_BUILD(URX_BACKREF, groupNum);
++                }
++                fRXPat->fCompiledPat->addElement(op, *fStatus);
+             }
+-            fRXPat->fCompiledPat->addElement(op, *fStatus);
+         }
+         break;
+ 
diff --git a/textproc/icu/patches/patch-bd b/textproc/icu/patches/patch-bd
new file mode 100644
index 00000000000..b4193efbf2a
--- /dev/null
+++ b/textproc/icu/patches/patch-bd
@@ -0,0 +1,81 @@
+$NetBSD: patch-bd,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- i18n/rematch.cpp.orig	2005-08-25 20:02:20.000000000 +0200
++++ i18n/rematch.cpp
+@@ -30,6 +30,15 @@
+ 
+ U_NAMESPACE_BEGIN
+ 
++// Limit the size of the back track stack, to avoid system failures caused
++//   by heap exhaustion.  Units are in 32 bit words, not bytes.
++// This value puts ICU's limits higher than most other regexp implementations,
++//  which use recursion rather than the heap, and take more storage per
++//  backtrack point.
++// This constant is _temporary_.  Proper API to control the value will added.
++//
++static const int32_t BACKTRACK_STACK_CAPACITY = 8000000;
++
+ //-----------------------------------------------------------------------------
+ //
+ //   Constructor and Destructor
+@@ -53,6 +62,8 @@ RegexMatcher::RegexMatcher(const RegexPa
+     }
+     if (fStack == NULL || fData == NULL) {
+         fDeferredStatus = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+         
+     reset(*RegexStaticSets::gStaticSets->fEmptyString);
+@@ -78,6 +89,8 @@ RegexMatcher::RegexMatcher(const Unicode
+     }
+     if (fStack == NULL || fData == NULL) {
+         status = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+     reset(input);
+ }
+@@ -102,6 +115,8 @@ RegexMatcher::RegexMatcher(const Unicode
+     }
+     if (fStack == NULL || fData == NULL) {
+         status = U_MEMORY_ALLOCATION_ERROR;
++    } else {
++        fStack->setMaxCapacity(BACKTRACK_STACK_CAPACITY);
+     }
+     reset(*RegexStaticSets::gStaticSets->fEmptyString);
+ }
+@@ -1015,6 +1030,14 @@ UBool RegexMatcher::isUWordBoundary(int3
+ inline REStackFrame *RegexMatcher::StateSave(REStackFrame *fp, int32_t savePatIdx, int32_t frameSize, UErrorCode &status) {
+     // push storage for a new frame. 
+     int32_t *newFP = fStack->reserveBlock(frameSize, status);
++    if (newFP == NULL) {
++        // Heap allocation error on attempted stack expansion.
++        // We need to return a writable stack frame, so just return the
++        //    previous frame.  The match operation will stop quickly
++        //    becuase of the error status, after which the frame will never
++        //    be looked at again.
++        return fp;
++    }
+     fp = (REStackFrame *)(newFP - frameSize);  // in case of realloc of stack.
+     
+     // New stack frame = copy of old top frame.
+@@ -1030,8 +1053,8 @@ inline REStackFrame *RegexMatcher::State
+     fp->fPatIdx = savePatIdx;
+     return (REStackFrame *)newFP;
+ }
+-    
+-            
++
++
+ //--------------------------------------------------------------------------------
+ //
+ //   MatchAt      This is the actual matching engine.
+@@ -2262,6 +2285,7 @@ GC_Done:
+         }
+ 
+         if (U_FAILURE(status)) {
++            isMatch = FALSE;
+             break;
+         }
+     }
diff --git a/textproc/icu/patches/patch-be b/textproc/icu/patches/patch-be
new file mode 100644
index 00000000000..08d698736f4
--- /dev/null
+++ b/textproc/icu/patches/patch-be
@@ -0,0 +1,56 @@
+$NetBSD: patch-be,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- test/intltest/regextst.cpp.orig	2005-07-05 20:39:00.000000000 +0200
++++ test/intltest/regextst.cpp
+@@ -66,6 +66,10 @@ void RegexTest::runIndexedTest( int32_t 
+         case 6: name = "PerlTests";
+             if (exec) PerlTests();
+             break;
++        case 7: name = "Bug 6149";
++            if (exec) Bug6149();
++            break;
++            
+ 
+ 
+         default: name = "";
+@@ -1637,6 +1641,13 @@ void RegexTest::Errors() {
+     // UnicodeSet containing a string
+     REGEX_ERR("abc[{def}]xyz", 1, 10, U_REGEX_SET_CONTAINS_STRING);
+ 
++    
++    // Invalid Back Reference \0
++    //    For ICU 3.8 and earlier
++    //    For ICU versions newer than 3.8, \0 introduces an octal escape.
++    //
++    REGEX_ERR("(ab)\\0", 1, 6, U_REGEX_INVALID_BACK_REF);
++
+ }
+ 
+ 
+@@ -2119,6 +2130,26 @@ void RegexTest::PerlTests() {
+ }
+ 
+ 
++//--------------------------------------------------------------
++//
++//  Bug6149   Verify limits to heap expansion for backtrack stack.
++//             Use this pattern,
++//                 "(a?){1,}"
++//             The zero-length match will repeat forever.
++//                (That this goes into a loop is another bug)
++//
++//---------------------------------------------------------------
++void RegexTest::Bug6149() {
++    UnicodeString pattern("(a?){1,}");
++    UnicodeString s("xyz");
++    uint32_t flags = 0;
++    UErrorCode status = U_ZERO_ERROR;
++    
++    RegexMatcher  matcher(pattern, s, flags, status);
++    UBool result = false;
++    REGEX_ASSERT_FAIL(result=matcher.matches(status), U_BUFFER_OVERFLOW_ERROR);
++    REGEX_ASSERT(result == FALSE);
++ }
+ 
+ #endif  /* !UCONFIG_NO_REGULAR_EXPRESSIONS  */
+ 
diff --git a/textproc/icu/patches/patch-bf b/textproc/icu/patches/patch-bf
new file mode 100644
index 00000000000..5095edab159
--- /dev/null
+++ b/textproc/icu/patches/patch-bf
@@ -0,0 +1,12 @@
+$NetBSD: patch-bf,v 1.1 2008/03/20 17:07:54 drochner Exp $
+
+--- test/intltest/regextst.h.orig	2003-12-03 07:58:28.000000000 +0100
++++ test/intltest/regextst.h
+@@ -30,6 +30,7 @@ public:
+     virtual void Extended();
+     virtual void Errors();
+     virtual void PerlTests();
++    virtual void Bug6149();
+ 
+     // The following functions are internal to the regexp tests.
+     virtual UBool doRegexLMTest(const char *pat, const char *text, UBool looking, UBool match, int line);