65 lines
1.8 KiB
Diff
65 lines
1.8 KiB
Diff
From a05e11ff3a663c06e0a30dfa86aa7ed4544a6008 Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
|
|
Date: Fri, 11 Apr 2014 13:41:13 +0200
|
|
Subject: [PATCH] Do not rely on wrapping signed integer while parseing
|
|
{min,max}
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
Signed integer overflow is not defined in C language. GCC 4.9 bails
|
|
out here.
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
pcre_compile.c | 24 ++++++++++++++++--------
|
|
1 file changed, 16 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/pcre_compile.c b/pcre_compile.c
|
|
index 8a5b723..ce65058 100644
|
|
--- a/pcre_compile.c
|
|
+++ b/pcre_compile.c
|
|
@@ -1586,11 +1586,15 @@ int max = -1;
|
|
/* Read the minimum value and do a paranoid check: a negative value indicates
|
|
an integer overflow. */
|
|
|
|
-while (IS_DIGIT(*p)) min = min * 10 + (int)(*p++ - CHAR_0);
|
|
-if (min < 0 || min > 65535)
|
|
+while (IS_DIGIT(*p))
|
|
{
|
|
- *errorcodeptr = ERR5;
|
|
- return p;
|
|
+ min = min * 10 + (int)(*p++ - CHAR_0);
|
|
+ if (min > 65535)
|
|
+ {
|
|
+ *errorcodeptr = ERR5;
|
|
+ while (*p != CHAR_RIGHT_CURLY_BRACKET) p++;
|
|
+ return p;
|
|
+ }
|
|
}
|
|
|
|
/* Read the maximum value if there is one, and again do a paranoid on its size.
|
|
@@ -1601,11 +1605,15 @@ if (*p == CHAR_RIGHT_CURLY_BRACKET) max = min; else
|
|
if (*(++p) != CHAR_RIGHT_CURLY_BRACKET)
|
|
{
|
|
max = 0;
|
|
- while(IS_DIGIT(*p)) max = max * 10 + (int)(*p++ - CHAR_0);
|
|
- if (max < 0 || max > 65535)
|
|
+ while(IS_DIGIT(*p))
|
|
{
|
|
- *errorcodeptr = ERR5;
|
|
- return p;
|
|
+ max = max * 10 + (int)(*p++ - CHAR_0);
|
|
+ if (max > 65535)
|
|
+ {
|
|
+ *errorcodeptr = ERR5;
|
|
+ while (*p != CHAR_RIGHT_CURLY_BRACKET) p++;
|
|
+ return p;
|
|
+ }
|
|
}
|
|
if (max < min)
|
|
{
|
|
--
|
|
1.9.0
|
|
|