diff options
Diffstat (limited to 'meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch')
| -rw-r--r-- | meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch new file mode 100644 index 0000000000..f942e21cba --- /dev/null +++ b/meta/recipes-support/re2c/re2c/CVE-2018-21232-3.patch @@ -0,0 +1,156 @@ +From 4d9c809355b574f2a58eac119f5e076c48e4d1e2 Mon Sep 17 00:00:00 2001 +From: Ulya Trofimovich <skvadrik@gmail.com> +Date: Thu, 23 Apr 2020 22:16:51 +0100 +Subject: [PATCH] Rewrite recursion into iteration (nullable RE). + +This is to avoid stack overflow on large RE (especially on instrumented +builds that have larger stack frames, like AddressSanitizer). + +Partial fix for #219 "overflow-1.re test fails on system with small stack". + +Upstream-Status: Backport: +https://github.com/skvadrik/re2c/commit/4d9c809355b574f2a58eac119f5e076c48e4d1e2 + +CVE: CVE-2018-21232 + +Signed-off-by: Davide Gardenal <davide.gardenal@huawei.com> +--- +diff --git a/src/re/nullable.cc b/src/re/nullable.cc +--- a/src/re/nullable.cc (revision e58939b34bb4c37cd990f82dc286f21cb405743e) ++++ b/src/re/nullable.cc (date 1647253886226) +@@ -9,43 +9,100 @@ + #include "src/re/tag.h" + + namespace re2c { ++ namespace { ++ ++ struct StackItem { ++ const RE *re; // current sub-RE ++ uint8_t succ; // index of the next sucessor to be visited ++ }; + +-static bool nullable(const RESpec &spec, const RE *re, bool &trail) +-{ +- if (trail) return true; ++ static bool nullable(const RESpec &spec, std::vector<StackItem> &stack, const RE *re0) ++ { ++ // the "nullable" status of the last sub-RE visited by DFS ++ bool null = false; + +- switch (re->type) { +- case RE::NIL: return true; +- case RE::SYM: return false; +- case RE::ITER: +- return nullable(spec, re->iter.re, trail); +- case RE::TAG: +- trail |= trailing(spec.tags[re->tag.idx]); +- return true; +- case RE::ALT: +- return nullable(spec, re->alt.re1, trail) +- || nullable(spec, re->alt.re2, trail); +- case RE::CAT: +- return nullable(spec, re->cat.re1, trail) +- && nullable(spec, re->cat.re2, trail); +- } +- return false; /* unreachable */ +-} ++ const StackItem i0 = {re0, 0}; ++ stack.push_back(i0); ++ ++ while (!stack.empty()) { ++ const StackItem i = stack.back(); ++ stack.pop_back(); ++ ++ const RE *re = i.re; ++ if (re->type == RE::NIL) { ++ null = true; ++ } ++ else if (re->type == RE::SYM) { ++ null = false; ++ } ++ else if (re->type == RE::TAG) { ++ null = true; + +-/* +- * warn about rules that match empty string +- * (including rules with nonempty trailing context) +- * false positives on partially self-shadowed rules like [^]? +- */ +-void warn_nullable(const RESpec &spec, const std::string &cond) +-{ +- const size_t nre = spec.res.size(); +- for (size_t i = 0; i < nre; ++i) { +- bool trail = false; +- if (nullable(spec, spec.res[i], trail)) { +- spec.warn.match_empty_string(spec.rules[i].code->fline, cond); +- } +- } +-} ++ // Trailing context is always in top-level concatenation, and sub-RE ++ // are visited from left to right. Since we are here, sub-RE to the ++ // left of the trailing context is nullable (otherwise we would not ++ // recurse into the right sub-RE), therefore the whole RE is nullable. ++ if (trailing(spec.tags[re->tag.idx])) { ++ //DASSERT(stack.size() == 1 && stack.back().re->type == RE::CAT); ++ stack.pop_back(); ++ break; ++ } ++ } ++ else if (re->type == RE::ALT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 1}; ++ stack.push_back(k); ++ StackItem j = {re->alt.re1, 0}; ++ stack.push_back(j); ++ } ++ else if (!null) { ++ // if the left sub-RE is nullable, so is alternative, so stop ++ // recursion; otherwise recurse into the right sub-RE ++ StackItem j = {re->alt.re2, 0}; ++ stack.push_back(j); ++ } ++ } ++ else if (re->type == RE::CAT) { ++ if (i.succ == 0) { ++ // recurse into the left sub-RE ++ StackItem k = {re, 1}; ++ stack.push_back(k); ++ StackItem j = {re->cat.re1, 0}; ++ stack.push_back(j); ++ } ++ else if (null) { ++ // if the left sub-RE is not nullable, neither is concatenation, ++ // so stop recursion; otherwise recurse into the right sub-RE ++ StackItem j = {re->cat.re2, 0}; ++ stack.push_back(j); ++ } ++ } ++ else if (re->type == RE::ITER) { ++ // iteration is nullable if the sub-RE is nullable ++ // (zero repetitions is represented with alternative) ++ StackItem j = {re->iter.re, 0}; ++ stack.push_back(j); ++ } ++ } ++ ++ //DASSERT(stack.empty()); ++ return null; ++ } ++ ++ } // anonymous namespace ++ ++// Warn about rules that match empty string (including rules with nonempty ++// trailing context). False positives on partially self-shadowed rules like [^]? ++ void warn_nullable(const RESpec &spec, const std::string &cond) ++ { ++ std::vector<StackItem> stack; ++ const size_t nre = spec.res.size(); ++ for (size_t i = 0; i < nre; ++i) { ++ if (nullable(spec, stack, spec.res[i])) { ++ spec.warn.match_empty_string(spec.rules[i].code->fline, cond); ++ } ++ } ++ } + + } // namespace re2c |