blob: 3bfa119f3b580ad974d908c08ea4bafdc4f2a406 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
|
pcre: Fix int overflow when parsing "?C<arg>" callout args.
Numerical args must be 0-255, so this shouldn't break correct usage.
--- a/pcre_compile.c 2020/02/10 17:01:27 1760
+++ b/pcre_compile.c 2020/02/10 17:17:34 1761
@@ -7130,17 +7130,19 @@
int n = 0;
ptr++;
while(IS_DIGIT(*ptr))
+ {
n = n * 10 + *ptr++ - CHAR_0;
+ if (n > 255)
+ {
+ *errorcodeptr = ERR38;
+ goto FAILED;
+ }
+ }
if (*ptr != CHAR_RIGHT_PARENTHESIS)
{
*errorcodeptr = ERR39;
goto FAILED;
}
- if (n > 255)
- {
- *errorcodeptr = ERR38;
- goto FAILED;
- }
*code++ = n;
PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
PUT(code, LINK_SIZE, 0); /* Default length */
|