Skip to content

Commit

Permalink
Fix CVE-2019-13225: problem in converting if-then-else pattern to byt…
Browse files Browse the repository at this point in the history 
…ecode.
  • Loading branch information
@kkos
K.Kosako authored and kkos committed Jul 6, 2019
1 parent 4cf9f47 commit c509265
Showing 1 changed file with 17 additions and 8 deletions.
25 changes: 17 additions & 8 deletions src/regcomp.c
View file
Expand Up @@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
len += tlen;
}

len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;

if (IS_NOT_NULL(Else)) {
len += SIZE_OP_JUMP;
tlen = compile_length_tree(Else, reg);
if (tlen < 0) return tlen;
len += tlen;
Expand Down Expand Up @@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)

case BAG_IF_ELSE:
{
int cond_len, then_len, jump_len;
int cond_len, then_len, else_len, jump_len;
Node* cond = NODE_BAG_BODY(node);
Node* Then = node->te.Then;
Node* Else = node->te.Else;
Expand All @@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
else
then_len = 0;

jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;

r = add_op(reg, OP_PUSH);
if (r != 0) return r;
Expand All @@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
}

if (IS_NOT_NULL(Else)) {
int else_len = compile_length_tree(Else, reg);
r = add_op(reg, OP_JUMP);
if (r != 0) return r;
COP(reg)->jump.addr = else_len + SIZE_INC_OP;
else_len = compile_length_tree(Else, reg);
if (else_len < 0) return else_len;
}
else
else_len = 0;

r = add_op(reg, OP_JUMP);
if (r != 0) return r;
COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;

r = add_op(reg, OP_ATOMIC_END);
if (r != 0) return r;

if (IS_NOT_NULL(Else)) {
r = compile_tree(Else, reg, env);
}
}
Expand Down

3 comments on commit c509265

@apoleon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello,

I am currently investigating CVE-2019-13225 because we still maintain version 5.9.1 of oniguruma. The code base is completely different and the patch does not apply at all. Can you provide a test case to reproduce this problem or can you even rule out that version 5.9.1 is not affected? Thank you

@kkos
Copy link
Owner

@kkos kkos commented on c509265 Jul 15, 2019

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

5.X.X does not have if-then-else pattern (?(cond)then|else) feature.
This bug fix is ​​about implementation of the if-then-else pattern, so it has nothing to do with 5.X.X.

@apoleon
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the confirmation

Please sign in to comment.