42 lines
1.2 KiB
Diff
42 lines
1.2 KiB
Diff
From b4bf968ad52afe14e60a2dc8a95d3555c543353a Mon Sep 17 00:00:00 2001
|
|
From: "K.Kosako" <kosako@sofnec.co.jp>
|
|
Date: Thu, 18 May 2017 17:05:27 +0900
|
|
Subject: [PATCH] fix #55 : check too big code point value for single byte
|
|
value in next_state_val()
|
|
|
|
---
|
|
regparse.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
--- end of original header
|
|
|
|
CVE: CVE-2017-9226
|
|
|
|
Add check for octal number bigger than 255.
|
|
|
|
Upstream-Status: Pending
|
|
Signed-off-by: Joe Slater <joe.slater@windriver.com>
|
|
|
|
|
|
--- ruby-2.4.1.orig/regparse.c
|
|
+++ ruby-2.4.1/regparse.c
|
|
@@ -3644,7 +3644,7 @@ fetch_token(OnigToken* tok, UChar** src,
|
|
if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
|
|
prev = p;
|
|
num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
|
|
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
|
|
+ if (num < 0 || 0xff < num) return ONIGERR_TOO_BIG_NUMBER;
|
|
if (p == prev) { /* can't read nothing. */
|
|
num = 0; /* but, it's not error */
|
|
}
|
|
@@ -4450,6 +4450,9 @@ next_state_val(CClassNode* cc, CClassNod
|
|
switch (*state) {
|
|
case CCS_VALUE:
|
|
if (*type == CCV_SB) {
|
|
+ if (*vs > 0xff)
|
|
+ return ONIGERR_INVALID_CODE_POINT_VALUE;
|
|
+
|
|
BITSET_SET_BIT_CHKDUP(cc->bs, (int )(*vs));
|
|
if (IS_NOT_NULL(asc_cc))
|
|
BITSET_SET_BIT(asc_cc->bs, (int )(*vs));
|