From 6e3307b561b0ed6bc8949bde180be13ede66e794 Mon Sep 17 00:00:00 2001 From: Eike Rathke Date: Apr 10 2015 18:12:05 +0000 Subject: Merge remote-tracking branch 'origin/f22' Conflicts: icu.spec --- diff --git a/icu.changeset_36724.patch b/icu.changeset_36724.patch new file mode 100644 index 0000000..82e0f21 --- /dev/null +++ b/icu.changeset_36724.patch @@ -0,0 +1,39 @@ +Index: icu/source/i18n/regexcmp.cpp +=================================================================== +--- icu/source/i18n/regexcmp.cpp (revision 36723) ++++ icu/source/i18n/regexcmp.cpp (revision 36724) +@@ -2136,4 +2136,8 @@ + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); +@@ -2169,4 +2173,8 @@ + int32_t minML = minMatchLength(fMatchOpenParen, patEnd); + int32_t maxML = maxMatchLength(fMatchOpenParen, patEnd); ++ if (URX_TYPE(maxML) != 0) { ++ error(U_REGEX_LOOK_BEHIND_LIMIT); ++ break; ++ } + if (maxML == INT32_MAX) { + error(U_REGEX_LOOK_BEHIND_LIMIT); +Index: icu/source/test/testdata/regextst.txt +=================================================================== +--- icu/source/test/testdata/regextst.txt (revision 36723) ++++ icu/source/test/testdata/regextst.txt (revision 36724) +@@ -1201,4 +1201,12 @@ + "A|B|\U00012345" "hello <0>\U00012345" + "A|B|\U00010000" "hello \ud800" ++ ++# Bug 11370 ++# Max match length computation of look-behind expression gives result that is too big to fit in the ++# in the 24 bit operand portion of the compiled code. Expressions should fail to compile ++# (Look-behind match length must be bounded. This case is treated as unbounded, an error.) ++ ++"(?fCompiledPat->setSize(topOfBlock); ++ if (fMatchOpenParen >= topOfBlock) { ++ fMatchOpenParen = -1; ++ } ++ if (fMatchCloseParen >= topOfBlock) { ++ fMatchCloseParen = -1; ++ } + return TRUE; + } +Index: icu/source/i18n/regexcmp.h +=================================================================== +--- icu/source/i18n/regexcmp.h (revision 36726) ++++ icu/source/i18n/regexcmp.h (revision 36727) +@@ -188,5 +188,7 @@ + // of the slot reserved for a state save + // at the start of the most recently processed +- // parenthesized block. ++ // parenthesized block. Updated when processing ++ // a close to the location for the corresponding open. ++ + int32_t fMatchCloseParen; // The position in the pattern of the first + // location after the most recently processed +Index: icu/source/test/testdata/regextst.txt +=================================================================== +--- icu/source/test/testdata/regextst.txt (revision 36726) ++++ icu/source/test/testdata/regextst.txt (revision 36727) +@@ -1202,4 +1202,13 @@ + "A|B|\U00010000" "hello \ud800" + ++# Bug 11369 ++# Incorrect optimization of patterns with a zero length quantifier {0} ++ ++"(.|b)(|b){0}\$(?#xxx){3}(?>\D*)" "AAAAABBBBBCCCCCDDDDEEEEE" ++"(|b)ab(c)" "<0><1>ab<2>c" ++"(|b){0}a{3}(D*)" "<0>aaa<2>" ++"(|b){0,1}a{3}(D*)" "<0><1>aaa<2>" ++"((|b){0})a{3}(D*)" "<0><1>aaa<3>" ++ + # Bug 11370 + # Max match length computation of look-behind expression gives result that is too big to fit in the +@@ -1209,4 +1218,5 @@ + "(?fFrameSize+=RESTACKFRAME_HDRCOUNT; ++ allocateStackData(RESTACKFRAME_HDRCOUNT); + + // + // Optimization pass 1: NOPs, back-references, and case-folding +@@ -367,9 +367,9 @@ + // the start of an ( grouping. + //4 NOP Resreved, will be replaced by a save if there are + // OR | operators at the top level +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_STATE_SAVE, 2), *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_JMP, 3), *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_FAIL, 0), *fStatus); ++ appendOp(URX_STATE_SAVE, 2); ++ appendOp(URX_JMP, 3); ++ appendOp(URX_FAIL, 0); + + // Standard open nonCapture paren action emits the two NOPs and + // sets up the paren stack frame. +@@ -392,7 +392,7 @@ + } + + // add the END operation to the compiled pattern. +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_END, 0), *fStatus); ++ appendOp(URX_END, 0); + + // Terminate the pattern compilation state machine. + returnVal = FALSE; +@@ -414,14 +414,13 @@ + int32_t savePosition = fParenStack.popi(); + int32_t op = (int32_t)fRXPat->fCompiledPat->elementAti(savePosition); + U_ASSERT(URX_TYPE(op) == URX_NOP); // original contents of reserved location +- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1); ++ op = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+1); + fRXPat->fCompiledPat->setElementAt(op, savePosition); + + // Append an JMP operation into the compiled pattern. The operand for + // the JMP will eventually be the location following the ')' for the + // group. This will be patched in later, when the ')' is encountered. +- op = URX_BUILD(URX_JMP, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_JMP, 0); + + // Push the position of the newly added JMP op onto the parentheses stack. + // This registers if for fixup when this block's close paren is encountered. +@@ -430,7 +429,7 @@ + // Append a NOP to the compiled pattern. This is the slot reserved + // for a SAVE in the event that there is yet another '|' following + // this one. +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); ++ appendOp(URX_NOP, 0); + fParenStack.push(fRXPat->fCompiledPat->size()-1, *fStatus); + } + break; +@@ -456,12 +455,10 @@ + // END_CAPTURE is encountered. + { + fixLiterals(); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); +- int32_t varsLoc = fRXPat->fFrameSize; // Reserve three slots in match stack frame. +- fRXPat->fFrameSize += 3; +- int32_t cop = URX_BUILD(URX_START_CAPTURE, varsLoc); +- fRXPat->fCompiledPat->addElement(cop, *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); ++ appendOp(URX_NOP, 0); ++ int32_t varsLoc = allocateStackData(3); // Reserve three slots in match stack frame. ++ appendOp(URX_START_CAPTURE, varsLoc); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the two NOPs. Depending on what follows in the pattern, the +@@ -486,8 +483,8 @@ + // is an '|' alternation within the parens. + { + fixLiterals(); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); ++ appendOp(URX_NOP, 0); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the two NOPs. +@@ -509,12 +506,10 @@ + // is an '|' alternation within the parens. + { + fixLiterals(); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); +- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the +- fRXPat->fDataSize += 1; // state stack ptr. +- int32_t stoOp = URX_BUILD(URX_STO_SP, varLoc); +- fRXPat->fCompiledPat->addElement(stoOp, *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); ++ appendOp(URX_NOP, 0); ++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the state stack ptr. ++ appendOp(URX_STO_SP, varLoc); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the two NOPs. Depending on what follows in the pattern, the +@@ -557,26 +552,14 @@ + // Two data slots are reserved, for saving the stack ptr and the input position. + { + fixLiterals(); +- int32_t dataLoc = fRXPat->fDataSize; +- fRXPat->fDataSize += 2; +- int32_t op = URX_BUILD(URX_LA_START, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_JMP, fRXPat->fCompiledPat->size()+ 3); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_LA_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_BACKTRACK, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_NOP, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ int32_t dataLoc = allocateData(2); ++ appendOp(URX_LA_START, dataLoc); ++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+ 2); ++ appendOp(URX_JMP, fRXPat->fCompiledPat->size()+ 3); ++ appendOp(URX_LA_END, dataLoc); ++ appendOp(URX_BACKTRACK, 0); ++ appendOp(URX_NOP, 0); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the NOPs. +@@ -601,16 +584,10 @@ + // an alternate (transparent) region. + { + fixLiterals(); +- int32_t dataLoc = fRXPat->fDataSize; +- fRXPat->fDataSize += 2; +- int32_t op = URX_BUILD(URX_LA_START, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_STATE_SAVE, 0); // dest address will be patched later. +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- +- op = URX_BUILD(URX_NOP, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ int32_t dataLoc = allocateData(2); ++ appendOp(URX_LA_START, dataLoc); ++ appendOp(URX_STATE_SAVE, 0); // dest address will be patched later. ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the StateSave and NOP. +@@ -648,23 +625,19 @@ + fixLiterals(); + + // Allocate data space +- int32_t dataLoc = fRXPat->fDataSize; +- fRXPat->fDataSize += 4; ++ int32_t dataLoc = allocateData(4); + + // Emit URX_LB_START +- int32_t op = URX_BUILD(URX_LB_START, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LB_START, dataLoc); + + // Emit URX_LB_CONT +- op = URX_BUILD(URX_LB_CONT, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later. +- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later. +- +- // Emit the NOP +- op = URX_BUILD(URX_NOP, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LB_CONT, dataLoc); ++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later. ++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later. ++ ++ // Emit the NOPs ++ appendOp(URX_NOP, 0); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the URX_LB_CONT and the NOP. +@@ -704,24 +677,20 @@ + fixLiterals(); + + // Allocate data space +- int32_t dataLoc = fRXPat->fDataSize; +- fRXPat->fDataSize += 4; ++ int32_t dataLoc = allocateData(4); + + // Emit URX_LB_START +- int32_t op = URX_BUILD(URX_LB_START, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LB_START, dataLoc); + + // Emit URX_LBN_CONT +- op = URX_BUILD(URX_LBN_CONT, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- fRXPat->fCompiledPat->addElement(0, *fStatus); // MinMatchLength. To be filled later. +- fRXPat->fCompiledPat->addElement(0, *fStatus); // MaxMatchLength. To be filled later. +- fRXPat->fCompiledPat->addElement(0, *fStatus); // Continue Loc. To be filled later. +- +- // Emit the NOP +- op = URX_BUILD(URX_NOP, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LBN_CONT, dataLoc); ++ appendOp(URX_RESERVED_OP, 0); // MinMatchLength. To be filled later. ++ appendOp(URX_RESERVED_OP, 0); // MaxMatchLength. To be filled later. ++ appendOp(URX_RESERVED_OP, 0); // Continue Loc. To be filled later. ++ ++ // Emit the NOPs ++ appendOp(URX_NOP, 0); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the URX_LB_CONT and the NOP. +@@ -791,12 +760,9 @@ + + if (URX_TYPE(repeatedOp) == URX_SETREF) { + // Emit optimized code for [char set]+ +- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp)); +- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus); +- frameLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; +- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc); +- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus); ++ appendOp(URX_LOOP_SR_I, URX_VAL(repeatedOp)); ++ frameLoc = allocateStackData(1); ++ appendOp(URX_LOOP_C, frameLoc); + break; + } + +@@ -804,7 +770,7 @@ + URX_TYPE(repeatedOp) == URX_DOTANY_ALL || + URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) { + // Emit Optimized code for .+ operations. +- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0); ++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0); + if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) { + // URX_LOOP_DOT_I operand is a flag indicating ". matches any" mode. + loopOpI |= 1; +@@ -812,11 +778,9 @@ + if (fModeFlags & UREGEX_UNIX_LINES) { + loopOpI |= 2; + } +- fRXPat->fCompiledPat->addElement(loopOpI, *fStatus); +- frameLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; +- int32_t loopOpC = URX_BUILD(URX_LOOP_C, frameLoc); +- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus); ++ appendOp(loopOpI); ++ frameLoc = allocateStackData(1); ++ appendOp(URX_LOOP_C, frameLoc); + break; + } + +@@ -830,18 +794,15 @@ + // Zero length match is possible. + // Emit the code sequence that can handle it. + insertOp(topLoc); +- frameLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; ++ frameLoc = allocateStackData(1); + +- int32_t op = URX_BUILD(URX_STO_INP_LOC, frameLoc); ++ int32_t op = buildOp(URX_STO_INP_LOC, frameLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc); + +- op = URX_BUILD(URX_JMP_SAV_X, topLoc+1); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_JMP_SAV_X, topLoc+1); + } else { + // Simpler code when the repeated body must match something non-empty +- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, topLoc); +- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus); ++ appendOp(URX_JMP_SAV, topLoc); + } + } + break; +@@ -853,8 +814,7 @@ + // 3. ... + { + int32_t topLoc = blockTopLoc(FALSE); +- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, topLoc); +- fRXPat->fCompiledPat->addElement(saveStateOp, *fStatus); ++ appendOp(URX_STATE_SAVE, topLoc); + } + break; + +@@ -868,7 +828,7 @@ + // Insert the state save into the compiled pattern, and we're done. + { + int32_t saveStateLoc = blockTopLoc(TRUE); +- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()); ++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()); + fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc); + } + break; +@@ -887,14 +847,12 @@ + int32_t jmp1_loc = blockTopLoc(TRUE); + int32_t jmp2_loc = fRXPat->fCompiledPat->size(); + +- int32_t jmp1_op = URX_BUILD(URX_JMP, jmp2_loc+1); ++ int32_t jmp1_op = buildOp(URX_JMP, jmp2_loc+1); + fRXPat->fCompiledPat->setElementAt(jmp1_op, jmp1_loc); + +- int32_t jmp2_op = URX_BUILD(URX_JMP, jmp2_loc+2); +- fRXPat->fCompiledPat->addElement(jmp2_op, *fStatus); ++ appendOp(URX_JMP, jmp2_loc+2); + +- int32_t save_op = URX_BUILD(URX_STATE_SAVE, jmp1_loc+1); +- fRXPat->fCompiledPat->addElement(save_op, *fStatus); ++ appendOp(URX_STATE_SAVE, jmp1_loc+1); + } + break; + +@@ -934,12 +892,10 @@ + + if (URX_TYPE(repeatedOp) == URX_SETREF) { + // Emit optimized code for a [char set]* +- int32_t loopOpI = URX_BUILD(URX_LOOP_SR_I, URX_VAL(repeatedOp)); ++ int32_t loopOpI = buildOp(URX_LOOP_SR_I, URX_VAL(repeatedOp)); + fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc); +- dataLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; +- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc); +- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus); ++ dataLoc = allocateStackData(1); ++ appendOp(URX_LOOP_C, dataLoc); + break; + } + +@@ -947,7 +903,7 @@ + URX_TYPE(repeatedOp) == URX_DOTANY_ALL || + URX_TYPE(repeatedOp) == URX_DOTANY_UNIX) { + // Emit Optimized code for .* operations. +- int32_t loopOpI = URX_BUILD(URX_LOOP_DOT_I, 0); ++ int32_t loopOpI = buildOp(URX_LOOP_DOT_I, 0); + if (URX_TYPE(repeatedOp) == URX_DOTANY_ALL) { + // URX_LOOP_DOT_I operand is a flag indicating . matches any mode. + loopOpI |= 1; +@@ -956,10 +912,8 @@ + loopOpI |= 2; + } + fRXPat->fCompiledPat->setElementAt(loopOpI, topLoc); +- dataLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; +- int32_t loopOpC = URX_BUILD(URX_LOOP_C, dataLoc); +- fRXPat->fCompiledPat->addElement(loopOpC, *fStatus); ++ dataLoc = allocateStackData(1); ++ appendOp(URX_LOOP_C, dataLoc); + break; + } + } +@@ -968,30 +922,29 @@ + // The optimizations did not apply. + + int32_t saveStateLoc = blockTopLoc(TRUE); +- int32_t jmpOp = URX_BUILD(URX_JMP_SAV, saveStateLoc+1); ++ int32_t jmpOp = buildOp(URX_JMP_SAV, saveStateLoc+1); + + // Check for minimum match length of zero, which requires + // extra loop-breaking code. + if (minMatchLength(saveStateLoc, fRXPat->fCompiledPat->size()-1) == 0) { + insertOp(saveStateLoc); +- dataLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; ++ dataLoc = allocateStackData(1); + +- int32_t op = URX_BUILD(URX_STO_INP_LOC, dataLoc); ++ int32_t op = buildOp(URX_STO_INP_LOC, dataLoc); + fRXPat->fCompiledPat->setElementAt(op, saveStateLoc+1); +- jmpOp = URX_BUILD(URX_JMP_SAV_X, saveStateLoc+2); ++ jmpOp = buildOp(URX_JMP_SAV_X, saveStateLoc+2); + } + + // Locate the position in the compiled pattern where the match will continue + // after completing the *. (4 or 5 in the comment above) + int32_t continueLoc = fRXPat->fCompiledPat->size()+1; + +- // Put together the save state op store it into the compiled code. +- int32_t saveStateOp = URX_BUILD(URX_STATE_SAVE, continueLoc); ++ // Put together the save state op and store it into the compiled code. ++ int32_t saveStateOp = buildOp(URX_STATE_SAVE, continueLoc); + fRXPat->fCompiledPat->setElementAt(saveStateOp, saveStateLoc); + + // Append the URX_JMP_SAV or URX_JMPX operation to the compiled pattern. +- fRXPat->fCompiledPat->addElement(jmpOp, *fStatus); ++ appendOp(jmpOp); + } + break; + +@@ -1005,10 +958,9 @@ + { + int32_t jmpLoc = blockTopLoc(TRUE); // loc 1. + int32_t saveLoc = fRXPat->fCompiledPat->size(); // loc 3. +- int32_t jmpOp = URX_BUILD(URX_JMP, saveLoc); +- int32_t stateSaveOp = URX_BUILD(URX_STATE_SAVE, jmpLoc+1); ++ int32_t jmpOp = buildOp(URX_JMP, saveLoc); + fRXPat->fCompiledPat->setElementAt(jmpOp, jmpLoc); +- fRXPat->fCompiledPat->addElement(stateSaveOp, *fStatus); ++ appendOp(URX_STATE_SAVE, jmpLoc+1); + } + break; + +@@ -1077,9 +1029,9 @@ + + // First the STO_SP before the start of the loop + insertOp(topLoc); +- int32_t varLoc = fRXPat->fDataSize; // Reserve a data location for saving the +- fRXPat->fDataSize += 1; // state stack ptr. +- int32_t op = URX_BUILD(URX_STO_SP, varLoc); ++ ++ int32_t varLoc = allocateData(1); // Reserve a data location for saving the ++ int32_t op = buildOp(URX_STO_SP, varLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc); + + int32_t loopOp = (int32_t)fRXPat->fCompiledPat->popi(); +@@ -1088,8 +1040,7 @@ + fRXPat->fCompiledPat->push(loopOp, *fStatus); + + // Then the LD_SP after the end of the loop +- op = URX_BUILD(URX_LD_SP, varLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LD_SP, varLoc); + } + + break; +@@ -1125,55 +1076,49 @@ + // scanned a ".", match any single character. + { + fixLiterals(FALSE); +- int32_t op; + if (fModeFlags & UREGEX_DOTALL) { +- op = URX_BUILD(URX_DOTANY_ALL, 0); ++ appendOp(URX_DOTANY_ALL, 0); + } else if (fModeFlags & UREGEX_UNIX_LINES) { +- op = URX_BUILD(URX_DOTANY_UNIX, 0); ++ appendOp(URX_DOTANY_UNIX, 0); + } else { +- op = URX_BUILD(URX_DOTANY, 0); ++ appendOp(URX_DOTANY, 0); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); + } + break; + + case doCaret: + { + fixLiterals(FALSE); +- int32_t op = 0; + if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) { +- op = URX_CARET; ++ appendOp(URX_CARET, 0); + } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) { +- op = URX_CARET_M; ++ appendOp(URX_CARET_M, 0); + } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) { +- op = URX_CARET; // Only testing true start of input. ++ appendOp(URX_CARET, 0); // Only testing true start of input. + } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) { +- op = URX_CARET_M_UNIX; ++ appendOp(URX_CARET_M_UNIX, 0); + } +- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus); + } + break; + + case doDollar: + { + fixLiterals(FALSE); +- int32_t op = 0; + if ( (fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) { +- op = URX_DOLLAR; ++ appendOp(URX_DOLLAR, 0); + } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) == 0) { +- op = URX_DOLLAR_M; ++ appendOp(URX_DOLLAR_M, 0); + } else if ((fModeFlags & UREGEX_MULTILINE) == 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) { +- op = URX_DOLLAR_D; ++ appendOp(URX_DOLLAR_D, 0); + } else if ((fModeFlags & UREGEX_MULTILINE) != 0 && (fModeFlags & UREGEX_UNIX_LINES) != 0) { +- op = URX_DOLLAR_MD; ++ appendOp(URX_DOLLAR_MD, 0); + } +- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus); + } + break; + + case doBackslashA: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_CARET, 0), *fStatus); ++ appendOp(URX_CARET, 0); + break; + + case doBackslashB: +@@ -1185,7 +1130,7 @@ + #endif + fixLiterals(FALSE); + int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B; +- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 1), *fStatus); ++ appendOp(op, 1); + } + break; + +@@ -1198,63 +1143,59 @@ + #endif + fixLiterals(FALSE); + int32_t op = (fModeFlags & UREGEX_UWORD)? URX_BACKSLASH_BU : URX_BACKSLASH_B; +- fRXPat->fCompiledPat->addElement(URX_BUILD(op, 0), *fStatus); ++ appendOp(op, 0); + } + break; + + case doBackslashD: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 1), *fStatus); ++ appendOp(URX_BACKSLASH_D, 1); + break; + + case doBackslashd: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_D, 0), *fStatus); ++ appendOp(URX_BACKSLASH_D, 0); + break; + + case doBackslashG: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_G, 0), *fStatus); ++ appendOp(URX_BACKSLASH_G, 0); + break; + + case doBackslashS: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement( +- URX_BUILD(URX_STAT_SETREF_N, URX_ISSPACE_SET), *fStatus); ++ appendOp(URX_STAT_SETREF_N, URX_ISSPACE_SET); + break; + + case doBackslashs: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement( +- URX_BUILD(URX_STATIC_SETREF, URX_ISSPACE_SET), *fStatus); ++ appendOp(URX_STATIC_SETREF, URX_ISSPACE_SET); + break; + + case doBackslashW: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement( +- URX_BUILD(URX_STAT_SETREF_N, URX_ISWORD_SET), *fStatus); ++ appendOp(URX_STAT_SETREF_N, URX_ISWORD_SET); + break; + + case doBackslashw: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement( +- URX_BUILD(URX_STATIC_SETREF, URX_ISWORD_SET), *fStatus); ++ appendOp(URX_STATIC_SETREF, URX_ISWORD_SET); + break; + + case doBackslashX: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_X, 0), *fStatus); ++ appendOp(URX_BACKSLASH_X, 0); + break; + + + case doBackslashZ: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_DOLLAR, 0), *fStatus); ++ appendOp(URX_DOLLAR, 0); + break; + + case doBackslashz: + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKSLASH_Z, 0), *fStatus); ++ appendOp(URX_BACKSLASH_Z, 0); + break; + + case doEscapeError: +@@ -1314,13 +1255,11 @@ + U_ASSERT(groupNum > 0); // Shouldn't happen. '\0' begins an octal escape sequence, + // and shouldn't enter this code path at all. + fixLiterals(FALSE); +- int32_t op; + if (fModeFlags & UREGEX_CASE_INSENSITIVE) { +- op = URX_BUILD(URX_BACKREF_I, groupNum); ++ appendOp(URX_BACKREF_I, groupNum); + } else { +- op = URX_BUILD(URX_BACKREF, groupNum); ++ appendOp(URX_BACKREF, groupNum); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); + } + break; + +@@ -1341,22 +1280,18 @@ + { + // Emit the STO_SP + int32_t topLoc = blockTopLoc(TRUE); +- int32_t stoLoc = fRXPat->fDataSize; +- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr. +- int32_t op = URX_BUILD(URX_STO_SP, stoLoc); ++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr. ++ int32_t op = buildOp(URX_STO_SP, stoLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc); + + // Emit the STATE_SAVE +- op = URX_BUILD(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_STATE_SAVE, fRXPat->fCompiledPat->size()+2); + + // Emit the JMP +- op = URX_BUILD(URX_JMP, topLoc+1); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_JMP, topLoc+1); + + // Emit the LD_SP +- op = URX_BUILD(URX_LD_SP, stoLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LD_SP, stoLoc); + } + break; + +@@ -1376,23 +1311,20 @@ + insertOp(topLoc); + + // emit STO_SP loc +- int32_t stoLoc = fRXPat->fDataSize; +- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr. +- int32_t op = URX_BUILD(URX_STO_SP, stoLoc); ++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr. ++ int32_t op = buildOp(URX_STO_SP, stoLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc); + + // Emit the SAVE_STATE 5 + int32_t L7 = fRXPat->fCompiledPat->size()+1; +- op = URX_BUILD(URX_STATE_SAVE, L7); ++ op = buildOp(URX_STATE_SAVE, L7); + fRXPat->fCompiledPat->setElementAt(op, topLoc+1); + + // Append the JMP operation. +- op = URX_BUILD(URX_JMP, topLoc+1); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_JMP, topLoc+1); + + // Emit the LD_SP loc +- op = URX_BUILD(URX_LD_SP, stoLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LD_SP, stoLoc); + } + break; + +@@ -1411,19 +1343,17 @@ + insertOp(topLoc); + + // Emit the STO_SP +- int32_t stoLoc = fRXPat->fDataSize; +- fRXPat->fDataSize++; // Reserve the data location for storing save stack ptr. +- int32_t op = URX_BUILD(URX_STO_SP, stoLoc); ++ int32_t stoLoc = allocateData(1); // Reserve the data location for storing save stack ptr. ++ int32_t op = buildOp(URX_STO_SP, stoLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc); + + // Emit the SAVE_STATE + int32_t continueLoc = fRXPat->fCompiledPat->size()+1; +- op = URX_BUILD(URX_STATE_SAVE, continueLoc); ++ op = buildOp(URX_STATE_SAVE, continueLoc); + fRXPat->fCompiledPat->setElementAt(op, topLoc+1); + + // Emit the LD_SP +- op = URX_BUILD(URX_LD_SP, stoLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LD_SP, stoLoc); + } + break; + +@@ -1480,8 +1410,8 @@ + // is an '|' alternation within the parens. + { + fixLiterals(FALSE); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_NOP, 0), *fStatus); ++ appendOp(URX_NOP, 0); ++ appendOp(URX_NOP, 0); + + // On the Parentheses stack, start a new frame and add the postions + // of the two NOPs (a normal non-capturing () frame, except for the +@@ -1818,7 +1748,6 @@ + // + //------------------------------------------------------------------------------ + void RegexCompile::fixLiterals(UBool split) { +- int32_t op = 0; // An op from/for the compiled pattern. + + // If no literal characters have been scanned but not yet had code generated + // for them, nothing needs to be done. +@@ -1857,23 +1786,23 @@ + // Single character, emit a URX_ONECHAR op to match it. + if ((fModeFlags & UREGEX_CASE_INSENSITIVE) && + u_hasBinaryProperty(lastCodePoint, UCHAR_CASE_SENSITIVE)) { +- op = URX_BUILD(URX_ONECHAR_I, lastCodePoint); ++ appendOp(URX_ONECHAR_I, lastCodePoint); + } else { +- op = URX_BUILD(URX_ONECHAR, lastCodePoint); ++ appendOp(URX_ONECHAR, lastCodePoint); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); + } else { + // Two or more chars, emit a URX_STRING to match them. ++ if (fLiteralChars.length() > 0x00ffffff || fRXPat->fLiteralText.length() > 0x00ffffff) { ++ error(U_REGEX_PATTERN_TOO_BIG); ++ } + if (fModeFlags & UREGEX_CASE_INSENSITIVE) { +- op = URX_BUILD(URX_STRING_I, fRXPat->fLiteralText.length()); ++ appendOp(URX_STRING_I, fRXPat->fLiteralText.length()); + } else { + // TODO here: add optimization to split case sensitive strings of length two + // into two single char ops, for efficiency. +- op = URX_BUILD(URX_STRING, fRXPat->fLiteralText.length()); ++ appendOp(URX_STRING, fRXPat->fLiteralText.length()); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- op = URX_BUILD(URX_STRING_LEN, fLiteralChars.length()); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_STRING_LEN, fLiteralChars.length()); + + // Add this string into the accumulated strings of the compiled pattern. + fRXPat->fLiteralText.append(fLiteralChars); +@@ -1883,8 +1812,58 @@ + } + + ++int32_t RegexCompile::buildOp(int32_t type, int32_t val) { ++ if (U_FAILURE(*fStatus)) { ++ return 0; ++ } ++ if (type < 0 || type > 255) { ++ U_ASSERT(FALSE); ++ error(U_REGEX_INTERNAL_ERROR); ++ type = URX_RESERVED_OP; ++ } ++ if (val > 0x00ffffff) { ++ U_ASSERT(FALSE); ++ error(U_REGEX_INTERNAL_ERROR); ++ val = 0; ++ } ++ if (val < 0) { ++ if (!(type == URX_RESERVED_OP_N || type == URX_RESERVED_OP)) { ++ U_ASSERT(FALSE); ++ error(U_REGEX_INTERNAL_ERROR); ++ return -1; ++ } ++ if (URX_TYPE(val) != 0xff) { ++ U_ASSERT(FALSE); ++ error(U_REGEX_INTERNAL_ERROR); ++ return -1; ++ } ++ type = URX_RESERVED_OP_N; ++ } ++ return (type << 24) | val; ++} ++ + ++//------------------------------------------------------------------------------ ++// ++// appendOp() Append a new instruction onto the compiled pattern ++// Includes error checking, limiting the size of the ++// pattern to lengths that can be represented in the ++// 24 bit operand field of an instruction. ++// ++//------------------------------------------------------------------------------ ++void RegexCompile::appendOp(int32_t op) { ++ if (U_FAILURE(*fStatus)) { ++ return; ++ } ++ fRXPat->fCompiledPat->addElement(op, *fStatus); ++ if ((fRXPat->fCompiledPat->size() > 0x00fffff0) && U_SUCCESS(*fStatus)) { ++ error(U_REGEX_PATTERN_TOO_BIG); ++ } ++} + ++void RegexCompile::appendOp(int32_t type, int32_t val) { ++ appendOp(buildOp(type, val)); ++} + + + //------------------------------------------------------------------------------ +@@ -1900,7 +1879,7 @@ + UVector64 *code = fRXPat->fCompiledPat; + U_ASSERT(where>0 && where < code->size()); + +- int32_t nop = URX_BUILD(URX_NOP, 0); ++ int32_t nop = buildOp(URX_NOP, 0); + code->insertElementAt(nop, where, *fStatus); + + // Walk through the pattern, looking for any ops with targets that +@@ -1921,7 +1900,7 @@ + // Target location for this opcode is after the insertion point and + // needs to be incremented to adjust for the insertion. + opValue++; +- op = URX_BUILD(opType, opValue); ++ op = buildOp(opType, opValue); + code->setElementAt(op, loc); + } + } +@@ -1946,6 +1925,58 @@ + } + + ++//------------------------------------------------------------------------------ ++// ++// allocateData() Allocate storage in the matcher's static data area. ++// Return the index for the newly allocated data. ++// The storage won't actually exist until we are running a match ++// operation, but the storage indexes are inserted into various ++// opcodes while compiling the pattern. ++// ++//------------------------------------------------------------------------------ ++int32_t RegexCompile::allocateData(int32_t size) { ++ if (U_FAILURE(*fStatus)) { ++ return 0; ++ } ++ if (size <= 0 || size > 0x100 || fRXPat->fDataSize < 0) { ++ error(U_REGEX_INTERNAL_ERROR); ++ return 0; ++ } ++ int32_t dataIndex = fRXPat->fDataSize; ++ fRXPat->fDataSize += size; ++ if (fRXPat->fDataSize >= 0x00fffff0) { ++ error(U_REGEX_INTERNAL_ERROR); ++ } ++ return dataIndex; ++} ++ ++ ++//------------------------------------------------------------------------------ ++// ++// allocateStackData() Allocate space in the back-tracking stack frame. ++// Return the index for the newly allocated data. ++// The frame indexes are inserted into various ++// opcodes while compiling the pattern, meaning that frame ++// size must be restricted to the size that will fit ++// as an operand (24 bits). ++// ++//------------------------------------------------------------------------------ ++int32_t RegexCompile::allocateStackData(int32_t size) { ++ if (U_FAILURE(*fStatus)) { ++ return 0; ++ } ++ if (size <= 0 || size > 0x100 || fRXPat->fFrameSize < 0) { ++ error(U_REGEX_INTERNAL_ERROR); ++ return 0; ++ } ++ int32_t dataIndex = fRXPat->fFrameSize; ++ fRXPat->fFrameSize += size; ++ if (fRXPat->fFrameSize >= 0x00fffff0) { ++ error(U_REGEX_PATTERN_TOO_BIG); ++ } ++ return dataIndex; ++} ++ + + //------------------------------------------------------------------------------ + // +@@ -1988,7 +2019,7 @@ + theLoc--; + } + if (reserveLoc) { +- int32_t nop = URX_BUILD(URX_NOP, 0); ++ int32_t nop = buildOp(URX_NOP, 0); + fRXPat->fCompiledPat->insertElementAt(nop, theLoc, *fStatus); + } + } +@@ -2063,8 +2094,7 @@ + U_ASSERT(URX_TYPE(captureOp) == URX_START_CAPTURE); + + int32_t frameVarLocation = URX_VAL(captureOp); +- int32_t endCaptureOp = URX_BUILD(URX_END_CAPTURE, frameVarLocation); +- fRXPat->fCompiledPat->addElement(endCaptureOp, *fStatus); ++ appendOp(URX_END_CAPTURE, frameVarLocation); + } + break; + case atomic: +@@ -2075,8 +2105,7 @@ + int32_t stoOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen+1); + U_ASSERT(URX_TYPE(stoOp) == URX_STO_SP); + int32_t stoLoc = URX_VAL(stoOp); +- int32_t ldOp = URX_BUILD(URX_LD_SP, stoLoc); +- fRXPat->fCompiledPat->addElement(ldOp, *fStatus); ++ appendOp(URX_LD_SP, stoLoc); + } + break; + +@@ -2085,8 +2114,7 @@ + int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-5); + U_ASSERT(URX_TYPE(startOp) == URX_LA_START); + int32_t dataLoc = URX_VAL(startOp); +- int32_t op = URX_BUILD(URX_LA_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LA_END, dataLoc); + } + break; + +@@ -2096,19 +2124,16 @@ + int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-1); + U_ASSERT(URX_TYPE(startOp) == URX_LA_START); + int32_t dataLoc = URX_VAL(startOp); +- int32_t op = URX_BUILD(URX_LA_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- op = URX_BUILD(URX_BACKTRACK, 0); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- op = URX_BUILD(URX_LA_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LA_END, dataLoc); ++ appendOp(URX_BACKTRACK, 0); ++ appendOp(URX_LA_END, dataLoc); + + // Patch the URX_SAVE near the top of the block. + // The destination of the SAVE is the final LA_END that was just added. + int32_t saveOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen); + U_ASSERT(URX_TYPE(saveOp) == URX_STATE_SAVE); + int32_t dest = fRXPat->fCompiledPat->size()-1; +- saveOp = URX_BUILD(URX_STATE_SAVE, dest); ++ saveOp = buildOp(URX_STATE_SAVE, dest); + fRXPat->fCompiledPat->setElementAt(saveOp, fMatchOpenParen); + } + break; +@@ -2121,10 +2146,8 @@ + int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-4); + U_ASSERT(URX_TYPE(startOp) == URX_LB_START); + int32_t dataLoc = URX_VAL(startOp); +- int32_t op = URX_BUILD(URX_LB_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); +- op = URX_BUILD(URX_LA_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LB_END, dataLoc); ++ appendOp(URX_LA_END, dataLoc); + + // Determine the min and max bounds for the length of the + // string that the pattern can match. +@@ -2160,8 +2183,7 @@ + int32_t startOp = (int32_t)fRXPat->fCompiledPat->elementAti(fMatchOpenParen-5); + U_ASSERT(URX_TYPE(startOp) == URX_LB_START); + int32_t dataLoc = URX_VAL(startOp); +- int32_t op = URX_BUILD(URX_LBN_END, dataLoc); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(URX_LBN_END, dataLoc); + + // Determine the min and max bounds for the length of the + // string that the pattern can match. +@@ -2186,7 +2208,7 @@ + + // Insert the pattern location to continue at after a successful match + // as the last operand of the URX_LBN_CONT +- op = URX_BUILD(URX_RELOC_OPRND, fRXPat->fCompiledPat->size()); ++ int32_t op = buildOp(URX_RELOC_OPRND, fRXPat->fCompiledPat->size()); + fRXPat->fCompiledPat->setElementAt(op, fMatchOpenParen-1); + } + break; +@@ -2227,7 +2249,7 @@ + case 0: + { + // Set of no elements. Always fails to match. +- fRXPat->fCompiledPat->addElement(URX_BUILD(URX_BACKTRACK, 0), *fStatus); ++ appendOp(URX_BACKTRACK, 0); + delete theSet; + } + break; +@@ -2248,8 +2270,7 @@ + // Put it into the compiled pattern as a set. + int32_t setNumber = fRXPat->fSets->size(); + fRXPat->fSets->addElement(theSet, *fStatus); +- int32_t setOp = URX_BUILD(URX_SETREF, setNumber); +- fRXPat->fCompiledPat->addElement(setOp, *fStatus); ++ appendOp(URX_SETREF, setNumber); + } + } + } +@@ -2288,13 +2309,10 @@ + // counterLoc --> Loop counter + // +1 --> Input index (for breaking non-progressing loops) + // (Only present if unbounded upper limit on loop) +- int32_t counterLoc = fRXPat->fFrameSize; +- fRXPat->fFrameSize++; +- if (fIntervalUpper < 0) { +- fRXPat->fFrameSize++; +- } ++ int32_t dataSize = fIntervalUpper < 0 ? 2 : 1; ++ int32_t counterLoc = allocateStackData(dataSize); + +- int32_t op = URX_BUILD(InitOp, counterLoc); ++ int32_t op = buildOp(InitOp, counterLoc); + fRXPat->fCompiledPat->setElementAt(op, topOfBlock); + + // The second operand of CTR_INIT is the location following the end of the loop. +@@ -2302,7 +2320,7 @@ + // compilation of something later on causes the code to grow and the target + // position to move. + int32_t loopEnd = fRXPat->fCompiledPat->size(); +- op = URX_BUILD(URX_RELOC_OPRND, loopEnd); ++ op = buildOp(URX_RELOC_OPRND, loopEnd); + fRXPat->fCompiledPat->setElementAt(op, topOfBlock+1); + + // Followed by the min and max counts. +@@ -2311,8 +2329,7 @@ + + // Apend the CTR_LOOP op. The operand is the location of the CTR_INIT op. + // Goes at end of the block being looped over, so just append to the code so far. +- op = URX_BUILD(LoopOp, topOfBlock); +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(LoopOp, topOfBlock); + + if ((fIntervalLow & 0xff000000) != 0 || + (fIntervalUpper > 0 && (fIntervalUpper & 0xff000000) != 0)) { +@@ -2365,7 +2382,7 @@ + // + int32_t endOfSequenceLoc = fRXPat->fCompiledPat->size()-1 + + fIntervalUpper + (fIntervalUpper-fIntervalLow); +- int32_t saveOp = URX_BUILD(URX_STATE_SAVE, endOfSequenceLoc); ++ int32_t saveOp = buildOp(URX_STATE_SAVE, endOfSequenceLoc); + if (fIntervalLow == 0) { + insertOp(topOfBlock); + fRXPat->fCompiledPat->setElementAt(saveOp, topOfBlock); +@@ -2378,13 +2395,10 @@ + // it was put there when it was originally encountered. + int32_t i; + for (i=1; ifCompiledPat->addElement(saveOp, *fStatus); +- } +- if (i > fIntervalLow) { +- fRXPat->fCompiledPat->addElement(saveOp, *fStatus); ++ if (i >= fIntervalLow) { ++ appendOp(saveOp); + } +- fRXPat->fCompiledPat->addElement(op, *fStatus); ++ appendOp(op); + } + return TRUE; + } +@@ -3603,7 +3617,7 @@ + int32_t operandAddress = URX_VAL(op); + U_ASSERT(operandAddress>=0 && operandAddressfCompiledPat->setElementAt(op, dst); + dst++; + break; +@@ -3618,7 +3632,7 @@ + break; + } + where = fRXPat->fGroupMap->elementAti(where-1); +- op = URX_BUILD(opType, where); ++ op = buildOp(opType, where); + fRXPat->fCompiledPat->setElementAt(op, dst); + dst++; + +@@ -3970,7 +3984,7 @@ + //------------------------------------------------------------------------------ + // + // scanNamedChar +- // Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern. ++// Get a UChar32 from a \N{UNICODE CHARACTER NAME} in the pattern. + // + // The scan position will be at the 'N'. On return + // the scan position should be just after the '}' +diff -ru icu/source/i18n/regexcmp.h icu/source/i18n/regexcmp.h +--- icu/source/i18n/regexcmp.h 2015-04-10 15:27:31.370772856 +0200 ++++ icu/source/i18n/regexcmp.h 2015-04-10 15:28:06.152993511 +0200 +@@ -104,6 +104,13 @@ + void fixLiterals(UBool split=FALSE); // Generate code for pending literal characters. + void insertOp(int32_t where); // Open up a slot for a new op in the + // generated code at the specified location. ++ void appendOp(int32_t op); // Append a new op to the compiled pattern. ++ void appendOp(int32_t type, int32_t val); // Build & append a new op to the compiled pattern. ++ int32_t buildOp(int32_t type, int32_t val); // Construct a new pcode instruction. ++ int32_t allocateData(int32_t size); // Allocate space in the matcher data area. ++ // Return index of the newly allocated data. ++ int32_t allocateStackData(int32_t size); // Allocate space in the match back-track stack frame. ++ // Return offset index in the frame. + int32_t minMatchLength(int32_t start, + int32_t end); + int32_t maxMatchLength(int32_t start, +diff -ru icu/source/i18n/regeximp.h icu/source/i18n/regeximp.h +--- icu/source/i18n/regeximp.h 2014-10-03 18:10:44.000000000 +0200 ++++ icu/source/i18n/regeximp.h 2015-04-10 15:28:06.153993517 +0200 +@@ -1,5 +1,5 @@ + // +-// Copyright (C) 2002-2013 International Business Machines Corporation ++// Copyright (C) 2002-2014 International Business Machines Corporation + // and others. All rights reserved. + // + // file: regeximp.h +@@ -241,7 +241,6 @@ + // + // Convenience macros for assembling and disassembling a compiled operation. + // +-#define URX_BUILD(type, val) (int32_t)((type << 24) | (val)) + #define URX_TYPE(x) ((uint32_t)(x) >> 24) + #define URX_VAL(x) ((x) & 0xffffff) + +diff -ru icu/source/test/intltest/regextst.cpp icu/source/test/intltest/regextst.cpp +--- icu/source/test/intltest/regextst.cpp 2014-10-03 18:09:44.000000000 +0200 ++++ icu/source/test/intltest/regextst.cpp 2015-04-10 15:28:06.154993523 +0200 +@@ -144,6 +144,9 @@ + case 24: name = "TestBug11049"; + if (exec) TestBug11049(); + break; ++ case 25: name = "TestBug11371"; ++ if (exec) TestBug11371(); ++ break; + default: name = ""; + break; //needed to end loop + } +@@ -5367,6 +5370,49 @@ + } + + ++void RegexTest::TestBug11371() { ++ if (quick) { ++ logln("Skipping test. Runs in exhuastive mode only."); ++ return; ++ } ++ UErrorCode status = U_ZERO_ERROR; ++ UnicodeString patternString; ++ ++ for (int i=0; i<8000000; i++) { ++ patternString.append(UnicodeString("()")); ++ } ++ LocalPointer compiledPat(RegexPattern::compile(patternString, 0, status)); ++ if (status != U_REGEX_PATTERN_TOO_BIG) { ++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.", ++ __FILE__, __LINE__, u_errorName(status)); ++ } ++ ++ status = U_ZERO_ERROR; ++ patternString = "("; ++ for (int i=0; i<20000000; i++) { ++ patternString.append(UnicodeString("A++")); ++ } ++ patternString.append(UnicodeString("){0}B++")); ++ LocalPointer compiledPat2(RegexPattern::compile(patternString, 0, status)); ++ if (status != U_REGEX_PATTERN_TOO_BIG) { ++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.", ++ __FILE__, __LINE__, u_errorName(status)); ++ } ++ ++ // Pattern with too much string data, such that string indexes overflow operand data field size ++ // in compiled instruction. ++ status = U_ZERO_ERROR; ++ patternString = ""; ++ while (patternString.length() < 0x00ffffff) { ++ patternString.append(UnicodeString("stuff and things dont you know, these are a few of my favorite strings\n")); ++ } ++ patternString.append(UnicodeString("X? trailing string")); ++ LocalPointer compiledPat3(RegexPattern::compile(patternString, 0, status)); ++ if (status != U_REGEX_PATTERN_TOO_BIG) { ++ errln("File %s, line %d expected status=U_REGEX_PATTERN_TOO_BIG; got %s.", ++ __FILE__, __LINE__, u_errorName(status)); ++ } ++} + + #endif /* !UCONFIG_NO_REGULAR_EXPRESSIONS */ + +diff -ru icu/source/test/intltest/regextst.h icu/source/test/intltest/regextst.h +--- icu/source/test/intltest/regextst.h 2014-10-03 18:09:40.000000000 +0200 ++++ icu/source/test/intltest/regextst.h 2015-04-10 15:28:06.154993523 +0200 +@@ -50,6 +50,7 @@ + virtual void Bug10459(); + virtual void TestCaseInsensitiveStarters(); + virtual void TestBug11049(); ++ virtual void TestBug11371(); + + // The following functions are internal to the regexp tests. + virtual void assertUText(const char *expected, UText *actual, const char *file, int line); diff --git a/icu.changeset_37086.patch b/icu.changeset_37086.patch new file mode 100644 index 0000000..f202bfa --- /dev/null +++ b/icu.changeset_37086.patch @@ -0,0 +1,125 @@ +# https://ssl.icu-project.org/trac/changeset/37086 + +Index: icu/source/layout/ContextualSubstSubtables.cpp +=================================================================== +--- icu/source/layout/ContextualSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/ContextualSubstSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -467,4 +467,10 @@ + (const ChainSubClassRuleTable *) ((char *) chainSubClassSetTable + chainSubClassRuleTableOffset); + le_uint16 backtrackGlyphCount = SWAPW(chainSubClassRuleTable->backtrackGlyphCount); ++ ++ // TODO: Ticket #11557 - enable this check, originally from ticket #11525. ++ // Depends on other, more extensive, changes. ++ // LEReferenceToArrayOf backtrackClassArray(base, success, chainSubClassRuleTable->backtrackClassArray, backtrackGlyphCount); ++ if( LE_FAILURE(success) ) { return 0; } ++ + le_uint16 inputGlyphCount = SWAPW(chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount]) - 1; + const le_uint16 *inputClassArray = &chainSubClassRuleTable->backtrackClassArray[backtrackGlyphCount + 1]; +Index: icu/source/layout/CursiveAttachmentSubtables.cpp +=================================================================== +--- icu/source/layout/CursiveAttachmentSubtables.cpp (revision 37085) ++++ icu/source/layout/CursiveAttachmentSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998 - 2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998 - 2015 - All Rights Reserved + * + */ +@@ -21,5 +21,8 @@ + le_uint16 eeCount = SWAPW(entryExitCount); + +- if (coverageIndex < 0 || coverageIndex >= eeCount) { ++ LEReferenceToArrayOf ++ entryExitRecordsArrayRef(base, success, entryExitRecords, coverageIndex); ++ ++ if (coverageIndex < 0 || coverageIndex >= eeCount || LE_FAILURE(success)) { + glyphIterator->setCursiveGlyph(); + return 0; +Index: icu/source/layout/Features.cpp +=================================================================== +--- icu/source/layout/Features.cpp (revision 37085) ++++ icu/source/layout/Features.cpp (revision 37086) +@@ -2,5 +2,5 @@ + * @(#)Features.cpp 1.4 00/03/15 + * +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -16,4 +16,7 @@ + LEReferenceTo FeatureListTable::getFeatureTable(const LETableReference &base, le_uint16 featureIndex, LETag *featureTag, LEErrorCode &success) const + { ++ LEReferenceToArrayOf ++ featureRecordArrayRef(base, success, featureRecordArray, featureIndex); ++ + if (featureIndex >= SWAPW(featureCount) || LE_FAILURE(success)) { + return LEReferenceTo(); +Index: icu/source/layout/LETableReference.h +=================================================================== +--- icu/source/layout/LETableReference.h (revision 37085) ++++ icu/source/layout/LETableReference.h (revision 37086) +@@ -2,5 +2,5 @@ + * -*- c++ -*- + * +- * (C) Copyright IBM Corp. and others 2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. and others 2015 - All Rights Reserved + * + * Range checking +@@ -314,5 +314,10 @@ + + const T& getObject(le_uint32 i, LEErrorCode &success) const { +- return *getAlias(i,success); ++ const T *ret = getAlias(i, success); ++ if (LE_FAILURE(success) || ret==NULL) { ++ return *(new T(0)); ++ } else { ++ return *ret; ++ } + } + +Index: icu/source/layout/LigatureSubstSubtables.cpp +=================================================================== +--- icu/source/layout/LigatureSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/LigatureSubstSubtables.cpp (revision 37086) +@@ -1,4 +1,4 @@ + /* +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -28,4 +28,7 @@ + const LigatureTable *ligTable = (const LigatureTable *) ((char *)ligSetTable + ligTableOffset); + le_uint16 compCount = SWAPW(ligTable->compCount) - 1; ++ LEReferenceToArrayOf ++ componentArrayRef(base, success, ligTable->componentArray, compCount); ++ if (LE_FAILURE(success)) { return 0; } + le_int32 startPosition = glyphIterator->getCurrStreamPosition(); + TTGlyphID ligGlyph = SWAPW(ligTable->ligGlyph); +Index: icu/source/layout/MultipleSubstSubtables.cpp +=================================================================== +--- icu/source/layout/MultipleSubstSubtables.cpp (revision 37085) ++++ icu/source/layout/MultipleSubstSubtables.cpp (revision 37086) +@@ -1,5 +1,5 @@ + /* + * +- * (C) Copyright IBM Corp. 1998-2013 - All Rights Reserved ++ * (C) Copyright IBM Corp. 1998-2015 - All Rights Reserved + * + */ +@@ -36,5 +36,10 @@ + le_int32 coverageIndex = getGlyphCoverage(base, glyph, success); + le_uint16 seqCount = SWAPW(sequenceCount); ++ LEReferenceToArrayOf ++ sequenceTableOffsetArrayRef(base, success, sequenceTableOffsetArray, seqCount); + ++ if (LE_FAILURE(success)) { ++ return 0; ++ } + if (coverageIndex >= 0 && coverageIndex < seqCount) { + Offset sequenceTableOffset = SWAPW(sequenceTableOffsetArray[coverageIndex]); diff --git a/icu.spec b/icu.spec index 4ed24b7..1deec35 100644 --- a/icu.spec +++ b/icu.spec @@ -1,6 +1,6 @@ Name: icu Version: 54.1 -Release: 2%{?dist} +Release: 3%{?dist} Summary: International Components for Unicode Group: Development/Tools License: MIT and UCD and Public Domain @@ -15,6 +15,10 @@ Patch2: icu.8800.freeserif.crash.patch Patch3: icu.7601.Indic-ccmp.patch Patch4: gennorm2-man.patch Patch5: icuinfo-man.patch +Patch6: icu.changeset_36724.patch +Patch7: icu.changeset_36727.patch +Patch8: icu.changeset_36801.patch +Patch9: icu.changeset_37086.patch %description Tools and utilities for developing with icu. @@ -62,6 +66,10 @@ BuildArch: noarch %patch3 -p1 -b .icu7601.Indic-ccmp.patch %patch4 -p1 -b .gennorm2-man.patch %patch5 -p1 -b .icuinfo-man.patch +%patch6 -p1 -b .icu.changeset_36724.patch +%patch7 -p1 -b .icu.changeset_36727.patch +%patch8 -p1 -b .icu.changeset_36801.patch +%patch9 -p1 -b .icu.changeset_37086.patch %build cd source @@ -170,6 +178,10 @@ make %{?_smp_mflags} -C source check %doc source/__docs/%{name}/html/* %changelog +* Fri Apr 10 2015 Eike Rathke - 54.1-3 +- Resolves: rhbz#1190131 CVE-2014-7923 CVE-2014-7926 CVE-2014-9654 +- Resolves: rhbz#1184811 CVE-2014-6585 CVE-2014-6591 + * Sat Feb 21 2015 Till Maas - 54.1-2 - Rebuilt for Fedora 23 Change https://fedoraproject.org/wiki/Changes/Harden_all_packages_with_position-independent_code