add patch for CVE-2014-7923 and CVE-2014-7926 found at

6242e2fbb3
2015-03-06 14:43:15 +00:00 · 2015-03-06 14:43:15 +00:00 · 35cd6d62be
commit 35cd6d62be
parent 8ad56a8573
3 changed files with 89 additions and 3 deletions
--- a/textproc/icu/Makefile
+++ b/textproc/icu/Makefile
@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.95 2014/10/07 16:47:14 adam Exp $
+# $NetBSD: Makefile,v 1.96 2015/03/06 14:43:15 spz Exp $

 DISTNAME=	icu4c-54_1-src
 PKGNAME=	${DISTNAME:S/4c//:S/-src//:S/_/./g}
-PKGREVISION=	1
+PKGREVISION=	2
 CATEGORIES=	textproc
 MASTER_SITES=	http://download.icu-project.org/files/icu4c/${PKGVERSION_NOREV}/
 EXTRACT_SUFX=	.tgz
--- a/textproc/icu/distinfo
+++ b/textproc/icu/distinfo
@ -1,8 +1,9 @@
-$NetBSD: distinfo,v 1.51 2014/10/26 19:46:48 bsiegert Exp $
+$NetBSD: distinfo,v 1.52 2015/03/06 14:43:15 spz Exp $

 SHA1 (icu4c-54_1-src.tgz) = 8c752490bbf31cea26e20246430cee67d48abe34
 RMD160 (icu4c-54_1-src.tgz) = b1440e1a3330b12336742c881863a8de6a6d2235
 Size (icu4c-54_1-src.tgz) = 25485678 bytes
+SHA1 (patch-CVE-2014-7923+7926) = cb5e355c6e5b4860c581a9743706b800d56dadf2
 SHA1 (patch-aa) = fd5c513e75ca17a46be4ed010455bda63731afff
 SHA1 (patch-ab) = 32f0e4c241535e37e4cad9b871ed3d36b4184199
 SHA1 (patch-ac) = e7cee161315321d2580074054d87714b55319886
--- a/textproc/icu/patches/patch-CVE-2014-7923+7926
+++ b/textproc/icu/patches/patch-CVE-2014-7923+7926
@ -0,0 +1,85 @@
+$NetBSD: patch-CVE-2014-7923+7926,v 1.1 2015/03/06 14:43:15 spz Exp $
+
+patches for CVE-2014-7923 and CVE-2014-7926 from
+https://chromium.googlesource.com/chromium/deps/icu52/+/6242e2fbb36f486f2c0addd1c3cef67fc4ed33fb
+
+--- i18n/regexcmp.cpp.orig	2014-10-03 16:10:36.000000000 +0000
+++ i18n/regexcmp.cpp
+@@ -2132,6 +2132,10 @@ void  RegexCompile::handleCloseParen() {
+             int32_t patEnd   = fRXPat->fCompiledPat->size() - 1;
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
+            if (URX_TYPE(maxML) != 0) {
+                error(U_REGEX_LOOK_BEHIND_LIMIT);
+                break;
+            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+                 break;
+@@ -2165,6 +2169,10 @@ void  RegexCompile::handleCloseParen() {
+             int32_t patEnd   = fRXPat->fCompiledPat->size() - 1;
+             int32_t minML    = minMatchLength(fMatchOpenParen, patEnd);
+             int32_t maxML    = maxMatchLength(fMatchOpenParen, patEnd);
+            if (URX_TYPE(maxML) != 0) {
+                error(U_REGEX_LOOK_BEHIND_LIMIT);
+                break;
+            }
+             if (maxML == INT32_MAX) {
+                 error(U_REGEX_LOOK_BEHIND_LIMIT);
+                 break;
+@@ -2328,7 +2336,15 @@ UBool RegexCompile::compileInlineInterva
+     int32_t   topOfBlock = blockTopLoc(FALSE);
+     if (fIntervalUpper == 0) {
+         // Pathological case.  Attempt no matches, as if the block doesn't exist.
+        // Discard the generated code for the block.
+        // If the block included parens, discard the info pertaining to them as well.
+         fRXPat->fCompiledPat->setSize(topOfBlock);
+        if (fMatchOpenParen >= topOfBlock) {
+            fMatchOpenParen = -1;
+        }
+        if (fMatchCloseParen >= topOfBlock) {
+            fMatchCloseParen = -1;
+        }
+         return TRUE;
+     }
+ 
+--- i18n/regexcmp.h.orig	2014-10-03 16:10:36.000000000 +0000
+++ i18n/regexcmp.h
+@@ -187,7 +187,9 @@ private:
+     int32_t                       fMatchOpenParen;   // The position in the compiled pattern
+                                                      //   of the slot reserved for a state save
+                                                      //   at the start of the most recently processed
+-                                                     //   parenthesized block.
+                                                     //   parenthesized block. Updated when processing
+                                                     //   a close to the location for the corresponding open.
+
+     int32_t                       fMatchCloseParen;  // The position in the pattern of the first
+                                                      //   location after the most recently processed
+                                                      //   parenthesized block.
+--- test/testdata/regextst.txt.orig	2014-10-03 16:09:58.000000000 +0000
+++ test/testdata/regextst.txt
+@@ -1178,6 +1178,24 @@
+ "(?<=a{1,})bc"           E       "aaaa<0>bc</0>def"   # U_REGEX_LOOK_BEHIND_LIMIT error.
+ "(?<=(?:){11})bc"                "<0>bc</0>"          # Empty (?:) expression.
+ 
+# Bug 11369
+#   Incorrect optimization of patterns with a zero length quantifier {0}
+
+"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)"   "AAAAABBBBBCCCCCDDDDEEEEE"
+"(|b)ab(c)"                     "<0><1></1>ab<2>c</2></0>"
+"(|b){0}a{3}(D*)"               "<0>aaa<2></2></0>"
+"(|b){0,1}a{3}(D*)"             "<0><1></1>aaa<2></2></0>"
+"((|b){0})a{3}(D*)"             "<0><1></1>aaa<3></3></0>"
+
+# Bug 11370
+#   Max match length computation of look-behind expression gives result that is too big to fit in the
+#   in the 24 bit operand portion of the compiled code. Expressions should fail to compile
+#   (Look-behind match length must be bounded. This case is treated as unbounded, an error.)
+
+"(?<!(0123456789a){10000000})x"         E  "no match"
+"(?<!\\ubeaf(\\ubeaf{11000}){11000})"   E  "no match"
+
+
+ # Bug 10835
+ #   Match Start Set not being correctly computed for case insensitive patterns.
+ #   (Test here is to dump the compiled pattern & manually check the start set.)