Skip to content
Permalink
Browse files

Fix CVE-2019-13225: problem in converting if-then-else pattern to byt…

…ecode.
  • Loading branch information...
K.Kosako authored and kkos committed Jun 27, 2019
1 parent 4cf9f47 commit c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
Showing with 17 additions and 8 deletions.
  1. +17 −8 src/regcomp.c
@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, regex_t* reg)
len += tlen;
}

len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;

if (IS_NOT_NULL(Else)) {
len += SIZE_OP_JUMP;
tlen = compile_length_tree(Else, reg);
if (tlen < 0) return tlen;
len += tlen;
@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)

case BAG_IF_ELSE:
{
int cond_len, then_len, jump_len;
int cond_len, then_len, else_len, jump_len;
Node* cond = NODE_BAG_BODY(node);
Node* Then = node->te.Then;
Node* Else = node->te.Else;
@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
else
then_len = 0;

jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;

r = add_op(reg, OP_PUSH);
if (r != 0) return r;
@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t* reg, ScanEnv* env)
}

if (IS_NOT_NULL(Else)) {
int else_len = compile_length_tree(Else, reg);
r = add_op(reg, OP_JUMP);
if (r != 0) return r;
COP(reg)->jump.addr = else_len + SIZE_INC_OP;
else_len = compile_length_tree(Else, reg);
if (else_len < 0) return else_len;
}
else
else_len = 0;

r = add_op(reg, OP_JUMP);
if (r != 0) return r;
COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;

r = add_op(reg, OP_ATOMIC_END);
if (r != 0) return r;

if (IS_NOT_NULL(Else)) {
r = compile_tree(Else, reg, env);
}
}

3 comments on commit c509265

@apoleon

This comment has been minimized.

Copy link

replied Jul 14, 2019

Hello,

I am currently investigating CVE-2019-13225 because we still maintain version 5.9.1 of oniguruma. The code base is completely different and the patch does not apply at all. Can you provide a test case to reproduce this problem or can you even rule out that version 5.9.1 is not affected? Thank you

@kkos

This comment has been minimized.

Copy link
Owner

replied Jul 15, 2019

5.X.X does not have if-then-else pattern (?(cond)then|else) feature.
This bug fix is ​​about implementation of the if-then-else pattern, so it has nothing to do with 5.X.X.

@apoleon

This comment has been minimized.

Copy link

replied Jul 15, 2019

Thank you for the confirmation

Please sign in to comment.
You can’t perform that action at this time.