diff options
author | Joe Orton <jorton@apache.org> | 2005-08-19 15:56:36 +0000 |
---|---|---|
committer | Joe Orton <jorton@apache.org> | 2005-08-19 15:56:36 +0000 |
commit | 9fdf7c8ac42b917a150fe94d9bf8e00c24ef6973 (patch) | |
tree | 40a64298c242018315b67fe98bf871681843e56c /srclib | |
parent | 3b8fe8c738b6a3ea1356914dd1dce64bf52b879e (diff) | |
download | httpd-9fdf7c8ac42b917a150fe94d9bf8e00c24ef6973.tar.gz |
Backport patch from pcre 6.2 to fix integer overflows in quantifier
parsing:
* srclib/pcre/pcre.c (read_repeat_counts): Check for integer overflow.
Obtained from: pcre 6.2 upstream
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@233493 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'srclib')
-rw-r--r-- | srclib/pcre/pcre.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/srclib/pcre/pcre.c b/srclib/pcre/pcre.c index dc013faf02..4936323a3b 100644 --- a/srclib/pcre/pcre.c +++ b/srclib/pcre/pcre.c @@ -1247,7 +1247,18 @@ read_repeat_counts(const uschar *p, int *minp, int *maxp, const char **errorptr) int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid on its size. +Also, max must not be less than min. */ if (*p == '}') max = min; else { @@ -1255,6 +1266,11 @@ if (*p == '}') max = min; else { max = 0; while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@ -1263,16 +1279,11 @@ if (*p == '}') max = min; else } } -/* Do paranoid checks, then fill in the required variables, and pass back the -pointer to the terminating '}'. */ +/* Fill in the required variables, and pass back the pointer to the terminating +'}'. */ -if (min > 65535 || max > 65535) - *errorptr = ERR5; -else - { - *minp = min; - *maxp = max; - } +*minp = min; +*maxp = max; return p; } |