Apply fix for potential heap overflow in PCRE code (CAN-2005-2491)

88a8fca5 · Andrew M. Kuchling · bf1da703 · 88a8fca5
Kaydet (Commit) 88a8fca5 authored Agu 31, 2005 tarafından Andrew M. Kuchling
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 9 deletions

pypcre.c Modules/pypcre.c +20 -9

No files found.
--- a/Modules/pypcre.c
+++ b/Modules/pypcre.c
@@ -1163,7 +1163,18 @@ read_repeat_counts(const uschar *p, int *minp, int *maxp, const char **errorptr)
 int min = 0;
 int max = -1;
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
 while ((pcre_ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+/* Read the maximum value if there is one, and again do a paranoid check 
+on its size.  Also, max must not be less than min. */
 if (*p == '}') max = min; else
  {
@@ -1171,6 +1182,11 @@ if (*p == '}') max = min; else
    {
    max = 0;
    while((pcre_ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
    if (max < min)
      {
      *errorptr = ERR4;
@@ -1179,16 +1195,11 @@ if (*p == '}') max = min; else
    }
  }
-/* Do paranoid checks, then fill in the required variables, and pass back the
+/* Fill in the required variables, and pass back the pointer to the terminating
-pointer to the terminating '}'. */
+'}'. */
-if (min > 65535 || max > 65535)
+*minp = min;
-  *errorptr = ERR5;
+*maxp = max;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
 return p;
 }