From 2c7655105475ad81ad07eedc9dded1924afb154f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Frings-F=C3=BCrst?= <debian@jff.email>
Date: Fri, 12 Jul 2019 10:25:50 +0200
Subject: Fix CVE-2019-1322[4-5]

---
 debian/changelog                         |  5 +++
 debian/patches/0105-CVE-2019-13224.patch | 38 ++++++++++++++++++
 debian/patches/0110-CVE-2019-13225.patch | 66 ++++++++++++++++++++++++++++++++
 debian/patches/series                    |  2 +
 4 files changed, 111 insertions(+)
 create mode 100644 debian/patches/0105-CVE-2019-13224.patch
 create mode 100644 debian/patches/0110-CVE-2019-13225.patch

diff --git a/debian/changelog b/debian/changelog
index 181ecf3..b9e1e60 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,11 @@ libonig (6.9.2-1) UNRELEASED; urgency=medium
     - Refresh symbols file.
     - Refresh debian/patches/0100-source_typos.patch.
   * Rewrite debain/watch.
+  * New debian/patches/0105-CVE-2019-13224.patch and
+      debian/patches/0110-CVE-2019-13225.patch (Closes: #931878):
+    - Fixes CVE-2019-13224 A use-after-free in onig_new_deluxe() in regext.c.
+    - Fixes CVE-2019-13225 A NULL Pointer Dereference in match_at()
+       in regexec.c.
 
  -- Jörg Frings-Fürst <debian@jff.email>  Fri, 12 Jul 2019 09:15:25 +0200
 
diff --git a/debian/patches/0105-CVE-2019-13224.patch b/debian/patches/0105-CVE-2019-13224.patch
new file mode 100644
index 0000000..6ea4f95
--- /dev/null
+++ b/debian/patches/0105-CVE-2019-13224.patch
@@ -0,0 +1,38 @@
+Description: CVE-2019-13224
+ don't allow different encodings for onig_new_deluxe()
+Origin: upstream, https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878
+Last-Update: 2019-07-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/src/regext.c
+===================================================================
+--- trunk.orig/src/regext.c
++++ trunk/src/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEnc
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UCh
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r != 0) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
diff --git a/debian/patches/0110-CVE-2019-13225.patch b/debian/patches/0110-CVE-2019-13225.patch
new file mode 100644
index 0000000..be9e152
--- /dev/null
+++ b/debian/patches/0110-CVE-2019-13225.patch
@@ -0,0 +1,66 @@
+Description: CVE-2019-13225
+ problem in converting if-then-else pattern to bytecode.
+Origin: upstream, https://github.com/kkos/oniguruma/commit/c509265c5f6ae7264f7b8a8aae1cfa5fc59d108c
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931878
+Last-Update: 2019-07-12
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+Index: trunk/src/regcomp.c
+===================================================================
+--- trunk.orig/src/regcomp.c
++++ trunk/src/regcomp.c
+@@ -1307,8 +1307,9 @@ compile_length_bag_node(BagNode* node, r
+         len += tlen;
+       }
+ 
++      len += SIZE_OP_JUMP + SIZE_OP_ATOMIC_END;
++
+       if (IS_NOT_NULL(Else)) {
+-        len += SIZE_OP_JUMP;
+         tlen = compile_length_tree(Else, reg);
+         if (tlen < 0) return tlen;
+         len += tlen;
+@@ -1455,7 +1456,7 @@ compile_bag_node(BagNode* node, regex_t*
+ 
+   case BAG_IF_ELSE:
+     {
+-      int cond_len, then_len, jump_len;
++      int cond_len, then_len, else_len, jump_len;
+       Node* cond = NODE_BAG_BODY(node);
+       Node* Then = node->te.Then;
+       Node* Else = node->te.Else;
+@@ -1472,8 +1473,7 @@ compile_bag_node(BagNode* node, regex_t*
+       else
+         then_len = 0;
+ 
+-      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END;
+-      if (IS_NOT_NULL(Else)) jump_len += SIZE_OP_JUMP;
++      jump_len = cond_len + then_len + SIZE_OP_ATOMIC_END + SIZE_OP_JUMP;
+ 
+       r = add_op(reg, OP_PUSH);
+       if (r != 0) return r;
+@@ -1490,11 +1490,20 @@ compile_bag_node(BagNode* node, regex_t*
+       }
+ 
+       if (IS_NOT_NULL(Else)) {
+-        int else_len = compile_length_tree(Else, reg);
+-        r = add_op(reg, OP_JUMP);
+-        if (r != 0) return r;
+-        COP(reg)->jump.addr = else_len + SIZE_INC_OP;
++        else_len = compile_length_tree(Else, reg);
++        if (else_len < 0) return else_len;
++      }
++      else
++        else_len = 0;
+ 
++      r = add_op(reg, OP_JUMP);
++      if (r != 0) return r;
++      COP(reg)->jump.addr = SIZE_OP_ATOMIC_END + else_len + SIZE_INC_OP;
++
++      r = add_op(reg, OP_ATOMIC_END);
++      if (r != 0) return r;
++
++      if (IS_NOT_NULL(Else)) {
+         r = compile_tree(Else, reg, env);
+       }
+     }
diff --git a/debian/patches/series b/debian/patches/series
index ea79fff..e924636 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,3 @@
 0100-source_typos.patch
+0105-CVE-2019-13224.patch
+0110-CVE-2019-13225.patch
-- 
cgit v1.2.3