bf7cc206f8
CAN-2005-2491, http://securitytracker.com/id?1014744 "A remote or local user may be able to supply a specially crafted regular expression to trigger a heap integer overflow in PCRE." ok pvalchev@
56 lines
1.3 KiB
Plaintext
56 lines
1.3 KiB
Plaintext
$OpenBSD: patch-pcre_c,v 1.1 2005/08/22 22:40:29 naddy Exp $
|
|
--- pcre.c.orig Wed Dec 10 17:45:44 2003
|
|
+++ pcre.c Mon Aug 22 22:27:27 2005
|
|
@@ -1047,14 +1047,30 @@ read_repeat_counts(const uschar *p, int
|
|
int min = 0;
|
|
int max = -1;
|
|
|
|
+/* Read the minimum value and do a paranoid check: a negative value indicates
|
|
+an integer overflow. */
|
|
+
|
|
while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
|
|
+if (min < 0 || min > 65535)
|
|
+ {
|
|
+ *errorptr = ERR5;
|
|
+ return p;
|
|
+ }
|
|
|
|
+/* Read the maximum value if there is one, and again do a paranoid on its size.
|
|
+Also, max must not be less than min. */
|
|
+
|
|
if (*p == '}') max = min; else
|
|
{
|
|
if (*(++p) != '}')
|
|
{
|
|
max = 0;
|
|
while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
|
|
+ if (max < 0 || max > 65535)
|
|
+ {
|
|
+ *errorptr = ERR5;
|
|
+ return p;
|
|
+ }
|
|
if (max < min)
|
|
{
|
|
*errorptr = ERR4;
|
|
@@ -1063,16 +1079,11 @@ if (*p == '}') max = min; else
|
|
}
|
|
}
|
|
|
|
-/* Do paranoid checks, then fill in the required variables, and pass back the
|
|
-pointer to the terminating '}'. */
|
|
+/* Fill in the required variables, and pass back the pointer to the terminating
|
|
+'}'. */
|
|
|
|
-if (min > 65535 || max > 65535)
|
|
- *errorptr = ERR5;
|
|
-else
|
|
- {
|
|
- *minp = min;
|
|
- *maxp = max;
|
|
- }
|
|
+*minp = min;
|
|
+*maxp = max;
|
|
return p;
|
|
}
|
|
|