ruby/CVE-2019-19204.patch

From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001
From: "K.Kosako" <kosako@sofnec.co.jp>
Date: Wed, 6 Nov 2019 17:32:29 +0900
Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier
 due to double PFETCH

---
 regparse.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/regparse.c b/regparse.c
index 324c414..70c36d5 100644
--- a/regparse.c
+++ b/regparse.c
@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)
   if (PEND) goto invalid;
   PFETCH(c);
   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {
-    if (c != MC_ESC(env->syntax)) goto invalid;
+    if (c != MC_ESC(env->syntax) || PEND) goto invalid;
     if (PEND) goto invalid;
     PFETCH(c);
   }
fix CVE-2019-16163 CVE-2019-16255 CVE-2019-19204 CVE-2019-19246 2020-03-18 17:31:31 +08:00			`From 6eb4aca6a7f2f60f473580576d86686ed6a6ebec Mon Sep 17 00:00:00 2001`
			`From: "K.Kosako" <kosako@sofnec.co.jp>`
			`Date: Wed, 6 Nov 2019 17:32:29 +0900`
			`Subject: [PATCH] fix #162: heap-buffer-overflow in fetch_interval_quantifier`
			`due to double PFETCH`

			`---`
			`regparse.c \| 2 +-`
			`1 file changed, 1 insertion(+), 1 deletion(-)`

			`diff --git a/regparse.c b/regparse.c`
			`index 324c414..70c36d5 100644`
			`--- a/regparse.c`
			`+++ b/regparse.c`
			`@@ -4178,7 +4178,7 @@ fetch_interval_quantifier(UChar** src, UChar* end, PToken* tok, ScanEnv* env)`
			`if (PEND) goto invalid;`
			`PFETCH(c);`
			`if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_BRACE_INTERVAL)) {`
			`- if (c != MC_ESC(env->syntax)) goto invalid;`
			`+ if (c != MC_ESC(env->syntax) \|\| PEND) goto invalid;`
			`if (PEND) goto invalid;`
			`PFETCH(c);`
			`}`