diff options
Diffstat (limited to 'textproc/icu/patches/patch-CVE-2014-7923+7926')
-rw-r--r-- | textproc/icu/patches/patch-CVE-2014-7923+7926 | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/textproc/icu/patches/patch-CVE-2014-7923+7926 b/textproc/icu/patches/patch-CVE-2014-7923+7926 new file mode 100644 index 00000000000..91c1922e94d --- /dev/null +++ b/textproc/icu/patches/patch-CVE-2014-7923+7926 @@ -0,0 +1,85 @@ +$NetBSD: patch-CVE-2014-7923+7926,v 1.1.2.2 2015/03/09 19:31:21 tron Exp $ + +patches for CVE-2014-7923 and CVE-2014-7926 from +https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb + +--- i18n/regexcmp.cpp.orig 2014-10-03 16:10:36.000000000 +0000 ++++ i18n/regexcmp.cpp +@@ -2132,6 +2132,10 @@ void RegexCompile::handleCloseParen() { + int32_t patEnd = fRXPat->fCompiledPat->size() - 1; + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; +@@ -2165,6 +2169,10 @@ void RegexCompile::handleCloseParen() { + int32_t patEnd = fRXPat->fCompiledPat->size() - 1; + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); + break; +@@ -2328,7 +2336,15 @@ UBool RegexCompile::compileInlineInterva + int32_t topOfBlock = blockTopLoc(FALSE); + if (fIntervalUpper == 0) { + // Pathological case. Attempt no matches, as if the block doesn't exist. ++ // Discard the generated code for the block. ++ // If the block included parens, discard the info pertaining to them as well. + fRXPat->fCompiledPat->setSize(topOfBlock); ++ if (fMatchOpenParen >= topOfBlock) { ++ fMatchOpenParen = -1; ++ } ++ if (fMatchCloseParen >= topOfBlock) { ++ fMatchCloseParen = -1; ++ } + return TRUE; + } + +--- i18n/regexcmp.h.orig 2014-10-03 16:10:36.000000000 +0000 ++++ i18n/regexcmp.h +@@ -187,7 +187,9 @@ private: + int32_t fMatchOpenParen; // The position in the compiled pattern + // of the slot reserved for a state save + // at the start of the most recently processed +- // parenthesized block. ++ // parenthesized block. Updated when processing ++ // a close to the location for the corresponding open. ++ + int32_t fMatchCloseParen; // The position in the pattern of the first + // location after the most recently processed + // parenthesized block. +--- test/testdata/regextst.txt.orig 2014-10-03 16:09:58.000000000 +0000 ++++ test/testdata/regextst.txt +@@ -1178,6 +1178,24 @@ + "(?<=a{1,})bc" E "aaaa<0>bc</0>def" # U_REGEX_LOOK_BEHIND_LIMIT error. + "(?<=(?:){11})bc" "<0>bc</0>" # Empty (?:) expression. + ++# Bug 11369 ++# Incorrect optimization of patterns with a zero length quantifier {0} ++ ++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE" ++"(|b)ab(c)" "<0><1></1>ab<2>c</2></0>" ++"(|b){0}a{3}(D*)" "<0>aaa<2></2></0>" ++"(|b){0,1}a{3}(D*)" "<0><1></1>aaa<2></2></0>" ++"((|b){0})a{3}(D*)" "<0><1></1>aaa<3></3></0>" ++ ++# Bug 11370 ++# Max match length computation of look-behind expression gives result that is too big to fit in the ++# in the 24 bit operand portion of the compiled code. Expressions should fail to compile ++# (Look-behind match length must be bounded. This case is treated as unbounded, an error.) ++ ++"(?<!(0123456789a){10000000})x" E "no match" ++"(?<!\\ubeaf(\\ubeaf{11000}){11000})" E "no match" ++ ++ + # Bug 10835 + # Match Start Set not being correctly computed for case insensitive patterns. + # (Test here is to dump the compiled pattern & manually check the start set.) |