From bb6370a20be07e6bd0c9f6e89a3cd9719dccbfd3 Mon Sep 17 00:00:00 2001 From: Michael Santos Date: Wed, 10 Feb 2010 15:19:48 -0500 Subject: Fix CVE-2008-2371 (outer level option with alternatives caused crash). The patch is from: http://vcs.pcre.org/viewvc?revision=360&view=revision Test case: re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]). An option change at the start of a pattern that had top-level alternatives could cause overwriting and/or a crash. This potential security problem was recorded as CVE-2008-2371. --- erts/emulator/pcre/pcre_compile.c | 21 +++++++++------------ lib/stdlib/test/re_SUITE.erl | 10 ++++++++-- 2 files changed, 17 insertions(+), 14 deletions(-) diff --git a/erts/emulator/pcre/pcre_compile.c b/erts/emulator/pcre/pcre_compile.c index 235617fc06..29743362d4 100644 --- a/erts/emulator/pcre/pcre_compile.c +++ b/erts/emulator/pcre/pcre_compile.c @@ -4820,10 +4820,8 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ both phases. If we are not at the pattern start, compile code to change the ims - options if this setting actually changes any of them. We also pass the - new setting back so that it can be put at the start of any following - branches, and when this group ends (if we are in a group), a resetting - item can be compiled. */ + options if this setting actually changes any of them, and reset the + greedy defaults and the case value for firstbyte and reqbyte. */ if (*ptr == ')') { @@ -4831,7 +4829,6 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ (lengthptr == NULL || *lengthptr == 2 + 2*LINK_SIZE)) { cd->external_options = newoptions; - options = newoptions; } else { @@ -4840,17 +4837,17 @@ we set the flag only if there is a literal "\r" or "\n" in the class. */ *code++ = OP_OPT; *code++ = newoptions & PCRE_IMS; } - - /* Change options at this level, and pass them back for use - in subsequent branches. Reset the greedy defaults and the case - value for firstbyte and reqbyte. */ - - *optionsptr = options = newoptions; greedy_default = ((newoptions & PCRE_UNGREEDY) != 0); greedy_non_default = greedy_default ^ 1; - req_caseopt = ((options & PCRE_CASELESS) != 0)? REQ_CASELESS : 0; + req_caseopt = ((newoptions & PCRE_CASELESS) != 0)? REQ_CASELESS : 0; } + /* Change options at this level, and pass them back for use + in subsequent branches. When not at the start of the pattern, this + information is also necessary so that a resetting item can be + compiled at the end of a group (if we are in a group). */ + + *optionsptr = options = newoptions; previous = NULL; /* This item can't be repeated */ continue; /* It is complete */ } diff --git a/lib/stdlib/test/re_SUITE.erl b/lib/stdlib/test/re_SUITE.erl index fa50ba3b7a..02683f9f1a 100644 --- a/lib/stdlib/test/re_SUITE.erl +++ b/lib/stdlib/test/re_SUITE.erl @@ -18,12 +18,12 @@ %% -module(re_SUITE). --export([all/1, pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types/1,replace_return/1,split_autogen/1,split_options/1,split_specials/1,error_handling/1]). +-export([all/1, pcre/1,compile_options/1,run_options/1,combined_options/1,replace_autogen/1,global_capture/1,replace_input_types/1,replace_return/1,split_autogen/1,split_options/1,split_specials/1,error_handling/1,pcre_cve_2008_2371/1]). -include("test_server.hrl"). -include_lib("kernel/include/file.hrl"). -all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_return,split_autogen,split_options,split_specials,error_handling]. +all(suite) -> [pcre,compile_options,run_options,combined_options,replace_autogen,global_capture,replace_input_types,replace_return,split_autogen,split_options,split_specials,error_handling,pcre_cve_2008_2371]. pcre(doc) -> ["Run all applicable tests from the PCRE testsuites."]; @@ -538,3 +538,9 @@ error_handling(Config) when is_list(Config) -> ?t:timetrap_cancel(Dog), ok. +pcre_cve_2008_2371(doc) -> + "Fix as in http://vcs.pcre.org/viewvc?revision=360&view=revision"; +pcre_cve_2008_2371(Config) when is_list(Config) -> + %% Make sure it doesn't crash the emulator. + re:compile(<<"(?i)[\xc3\xa9\xc3\xbd]|[\xc3\xa9\xc3\xbdA]">>, [unicode]), + ok. -- cgit v1.2.3