Revision: 517
http://www.exim.org/viewvc/pcre2?view=rev&revision=517
Author: ph10
Date: 2016-05-24 17:37:13 +0100 (Tue, 24 May 2016)
Log Message:
-----------
Add a bit more sanity checking to pcre2_serialize_decode(), and document.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/doc/pcre2serialize.3
code/trunk/src/pcre2.h
code/trunk/src/pcre2.h.in
code/trunk/src/pcre2_error.c
code/trunk/src/pcre2_serialize.c
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/ChangeLog 2016-05-24 16:37:13 UTC (rev 517)
@@ -113,7 +113,10 @@
27. Minor code refactor to avoid "left shift of negative number" warning.
+28. Add a bit more sanity checking to pcre2_serialize_decode() and document
+that it expects trusted data.
+
Version 10.21 12-January-2016
-----------------------------
Modified: code/trunk/doc/pcre2serialize.3
===================================================================
--- code/trunk/doc/pcre2serialize.3 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/doc/pcre2serialize.3 2016-05-24 16:37:13 UTC (rev 517)
@@ -1,4 +1,4 @@
-.TH PCRE2SERIALIZE 3 "03 November 2015" "PCRE2 10.21"
+.TH PCRE2SERIALIZE 3 "24 May 2016" "PCRE2 10.22"
.SH NAME
PCRE2 - Perl-compatible regular expressions (revised API)
.SH "SAVING AND RE-USING PRECOMPILED PCRE2 PATTERNS"
@@ -30,6 +30,16 @@
reloaded using the 8-bit library.
.
.
+.SH "SECURITY CONCERNS"
+.rs
+.sp
+The facility for saving and restoring compiled patterns is intended for use
+within individual applications. As such, the data supplied to
+\fBpcre2_serialize_decode()\fP is expected to be trusted data, not data from
+arbitrary external sources. There is only some simple consistency checking, not
+complete validation of what is being re-loaded.
+.
+.
.SH "SAVING COMPILED PATTERNS"
.rs
.sp
@@ -129,11 +139,12 @@
function is the number of decoded patterns, or one of the following negative
error codes:
.sp
- PCRE2_ERROR_BADDATA second argument is zero or less
- PCRE2_ERROR_BADMAGIC mismatch of id bytes in the data
- PCRE2_ERROR_BADMODE mismatch of variable unit size or PCRE2 version
- PCRE2_ERROR_MEMORY memory allocation failed
- PCRE2_ERROR_NULL first or third argument is NULL
+ PCRE2_ERROR_BADDATA second argument is zero or less
+ PCRE2_ERROR_BADMAGIC mismatch of id bytes in the data
+ PCRE2_ERROR_BADMODE mismatch of code unit size or PCRE2 version
+ PCRE2_ERROR_BADSERIALIZEDDATA other sanity check failure
+ PCRE2_ERROR_MEMORY memory allocation failed
+ PCRE2_ERROR_NULL first or third argument is NULL
.sp
PCRE2_ERROR_BADMAGIC may mean that the data is corrupt, or that it was compiled
on a system with different endianness.
@@ -170,6 +181,6 @@
.rs
.sp
.nf
-Last updated: 03 November 2015
-Copyright (c) 1997-2015 University of Cambridge.
+Last updated: 24 May 2016
+Copyright (c) 1997-2016 University of Cambridge.
.fi
Modified: code/trunk/src/pcre2.h
===================================================================
--- code/trunk/src/pcre2.h 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/src/pcre2.h 2016-05-24 16:37:13 UTC (rev 517)
@@ -245,6 +245,7 @@
#define PCRE2_ERROR_BADSUBSTITUTION (-59)
#define PCRE2_ERROR_BADSUBSPATTERN (-60)
#define PCRE2_ERROR_TOOMANYREPLACE (-61)
+#define PCRE2_ERROR_BADSERIALIZEDDATA (-62)
/* Request types for pcre2_pattern_info() */
Modified: code/trunk/src/pcre2.h.in
===================================================================
--- code/trunk/src/pcre2.h.in 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/src/pcre2.h.in 2016-05-24 16:37:13 UTC (rev 517)
@@ -245,6 +245,7 @@
#define PCRE2_ERROR_BADSUBSTITUTION (-59)
#define PCRE2_ERROR_BADSUBSPATTERN (-60)
#define PCRE2_ERROR_TOOMANYREPLACE (-61)
+#define PCRE2_ERROR_BADSERIALIZEDDATA (-62)
/* Request types for pcre2_pattern_info() */
Modified: code/trunk/src/pcre2_error.c
===================================================================
--- code/trunk/src/pcre2_error.c 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/src/pcre2_error.c 2016-05-24 16:37:13 UTC (rev 517)
@@ -252,6 +252,7 @@
/* 60 */
"match with end before start is not supported\0"
"too many replacements (more than INT_MAX)\0"
+ "bad serialized data\0"
;
Modified: code/trunk/src/pcre2_serialize.c
===================================================================
--- code/trunk/src/pcre2_serialize.c 2016-05-21 13:41:24 UTC (rev 516)
+++ code/trunk/src/pcre2_serialize.c 2016-05-24 16:37:13 UTC (rev 517)
@@ -158,6 +158,7 @@
if (data == NULL || codes == NULL) return PCRE2_ERROR_NULL;
if (number_of_codes <= 0) return PCRE2_ERROR_BADDATA;
+if (data->number_of_codes <= 0) return PCRE2_ERROR_BADSERIALIZEDDATA;
if (data->magic != SERIALIZED_DATA_MAGIC) return PCRE2_ERROR_BADMAGIC;
if (data->version != SERIALIZED_DATA_VERSION) return PCRE2_ERROR_BADMODE;
if (data->config != SERIALIZED_DATA_CONFIG) return PCRE2_ERROR_BADMODE;
@@ -188,6 +189,8 @@
CODE_BLOCKSIZE_TYPE blocksize;
memcpy(&blocksize, src_bytes + offsetof(pcre2_real_code, blocksize),
sizeof(CODE_BLOCKSIZE_TYPE));
+ if (blocksize <= sizeof(pcre2_real_code))
+ return PCRE2_ERROR_BADSERIALIZEDDATA;
/* The allocator provided by gcontext replaces the original one. */
@@ -208,6 +211,10 @@
memcpy(((uint8_t *)dst_re) + sizeof(pcre2_memctl),
src_bytes + sizeof(pcre2_memctl), blocksize - sizeof(pcre2_memctl));
+ if (dst_re->magic_number != MAGIC_NUMBER ||
+ dst_re->name_entry_size > MAX_NAME_SIZE + IMM2_SIZE + 1 ||
+ dst_re->name_count > MAX_NAME_COUNT)
+ return PCRE2_ERROR_BADSERIALIZEDDATA;
/* At the moment only one table is supported. */