Compare commits

...

No commits in common. 'c9' and 'c9-beta' have entirely different histories.
c9 ... c9-beta

1
.gitignore vendored

@ -1 +1,2 @@
SOURCES/pcre-8.44.tar.bz2 SOURCES/pcre-8.44.tar.bz2
SOURCES/pcre-8.44.tar.bz2.sig

@ -1 +1,2 @@
8179b083053fce9b4a766513fa1f14807aabee42 SOURCES/pcre-8.44.tar.bz2 8179b083053fce9b4a766513fa1f14807aabee42 SOURCES/pcre-8.44.tar.bz2
b43d3d5bcd1d534c18134821d767c367d37ef929 SOURCES/pcre-8.44.tar.bz2.sig

@ -0,0 +1,39 @@
From bc21e89823bb3b1550e03489345864dfe1515e2c Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Tue, 16 Apr 2024 10:13:35 +0000
Subject: [PATCH] Fix the possible array overrun when the OP_TABLE_LENGTH
When the *code pointer holds value of 162 (OP_TABLE_LENGTH) it could
possibly overrun the priv_OP_lengths[] array. By adding this condition
it's not being overrun and the 0 values is added instead. It would most
likely be 0 when overrun as the array is alligned to the lowest byte
with zeros
---
pcre_printint.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/pcre_printint.c b/pcre_printint.c
index 60dcb55..e1e419b 100644
--- a/pcre_printint.c
+++ b/pcre_printint.c
@@ -825,8 +825,14 @@ for(;;)
fprintf(f, " %s %s", flag, priv_OP_names[*code]);
break;
}
-
- code += priv_OP_lengths[*code] + extra;
+ if (*code >= OP_TABLE_LENGTH){
+ // Use 0 because it would most likely be 0 when the priv_OP_lengths is overrun.
+ // Allocator would have allign the size of this array
+ code += 0 + extra;
+ }
+ else {
+ code += priv_OP_lengths[*code] + extra;
+ }
fprintf(f, "\n");
}
}
--
2.44.0

@ -0,0 +1,44 @@
From 3f53de7ff720b40f547a2d55532a73b2b570ab40 Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Tue, 16 Apr 2024 10:28:58 +0000
Subject: [PATCH] Fix UNINIT SAST report for the mark* values
These values are initialized if the re* values is true, thus we can add
it to the condition, so there is no possibility that the mark* values
are not initialized
---
pcre_jit_test.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pcre_jit_test.c b/pcre_jit_test.c
index 034cb52..e3e4a3e 100644
--- a/pcre_jit_test.c
+++ b/pcre_jit_test.c
@@ -1687,21 +1687,21 @@ static int regression_tests(void)
if (is_successful) {
#ifdef SUPPORT_PCRE8
- if (mark8_1 != mark8_2) {
+ if (re8 && (mark8_1 != mark8_2)) {
printf("8 bit: Mark value mismatch: [%d] '%s' @ '%s'\n",
total, current->pattern, current->input);
is_successful = 0;
}
#endif
#ifdef SUPPORT_PCRE16
- if (mark16_1 != mark16_2) {
+ if (re16 && (mark16_1 != mark16_2)) {
printf("16 bit: Mark value mismatch: [%d] '%s' @ '%s'\n",
total, current->pattern, current->input);
is_successful = 0;
}
#endif
#ifdef SUPPORT_PCRE32
- if (mark32_1 != mark32_2) {
+ if (re32 && (mark32_1 != mark32_2)) {
printf("32 bit: Mark value mismatch: [%d] '%s' @ '%s'\n",
total, current->pattern, current->input);
is_successful = 0;
--
2.44.0

Binary file not shown.

@ -2,7 +2,7 @@
#%%global rcversion RC1 #%%global rcversion RC1
Name: pcre Name: pcre
Version: 8.44 Version: 8.44
Release: %{?rcversion:0.}3%{?rcversion:.%rcversion}%{?dist}.3 Release: %{?rcversion:0.}4%{?rcversion:.%rcversion}%{?dist}
%global myversion %{version}%{?rcversion:-%rcversion} %global myversion %{version}%{?rcversion:-%rcversion}
Summary: Perl-compatible regular expression library Summary: Perl-compatible regular expression library
## Source package only: ## Source package only:
@ -49,6 +49,9 @@ Patch4: pcre-8.44-Inicialize-name-table-memory-region.patch
# <https://lists.exim.org/lurker/message/20201220.222016.d8cd6d61.en.html> # <https://lists.exim.org/lurker/message/20201220.222016.d8cd6d61.en.html>
Patch5: pcre-8.44-JIT-compiler-update-for-Intel-CET.patch Patch5: pcre-8.44-JIT-compiler-update-for-Intel-CET.patch
Patch6: pcre-8.44-Pass-mshstk-to-the-compiler-when-Intel-CET-is-enable.patch Patch6: pcre-8.44-Pass-mshstk-to-the-compiler-when-Intel-CET-is-enable.patch
# SAST reports RHEL-32488 and RHEL-32492 fixed
Patch7: 0001-Fix-the-possible-array-overrun-when-the-OP_TABLE_LEN.patch
Patch8: 0002-Fix-UNINIT-SAST-report-for-the-mark-values.patch
BuildRequires: readline-devel BuildRequires: readline-devel
BuildRequires: autoconf BuildRequires: autoconf
BuildRequires: automake BuildRequires: automake
@ -139,6 +142,8 @@ Utilities demonstrating PCRE capabilities like pcregrep or pcretest.
%patch4 -p1 %patch4 -p1
%patch5 -p1 %patch5 -p1
%patch6 -p1 %patch6 -p1
%patch7 -p1
%patch8 -p1
# Because of the multilib patch # Because of the multilib patch
libtoolize --copy --force libtoolize --copy --force
autoreconf -vif autoreconf -vif
@ -231,6 +236,9 @@ make %{?_smp_mflags} check VERBOSE=yes
%{_mandir}/man1/pcretest.* %{_mandir}/man1/pcretest.*
%changelog %changelog
* Wed Apr 17 2024 Lukas Javorsky <ljavorsk@redhat.com> - 8.44.3-4
- Fix the SAST reports described in RHEL-32492 and RHEL-32488
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.44-3.3 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 8.44-3.3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688 Related: rhbz#1991688

Loading…
Cancel
Save