diff options
author | Matthew Vernon <matthew@debian.org> | 2020-06-18 19:32:51 +0100 |
---|---|---|
committer | Matthew Vernon <matthew@debian.org> | 2020-06-18 19:32:51 +0100 |
commit | 7b88c83f87391950756256072f886a08c44ed78f (patch) | |
tree | 67786a8c81e26d1f535af8228fbf1d4629fb7652 | |
parent | 2ff8807d4569f246376ced2ece2e36878fc99acb (diff) |
upstream patch fixing CVE-2020-14155
This checks the size of the number after (?C as it is read, in order
to avoid integer overflow.
-rw-r--r-- | pcre_compile.c | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/pcre_compile.c b/pcre_compile.c index 7cd3950..c742227 100644 --- a/pcre_compile.c +++ b/pcre_compile.c @@ -7086,17 +7086,19 @@ for (;; ptr++) int n = 0; ptr++; while(IS_DIGIT(*ptr)) + { n = n * 10 + *ptr++ - CHAR_0; + if (n > 255) + { + *errorcodeptr = ERR38; + goto FAILED; + } + } if (*ptr != CHAR_RIGHT_PARENTHESIS) { *errorcodeptr = ERR39; goto FAILED; } - if (n > 255) - { - *errorcodeptr = ERR38; - goto FAILED; - } *code++ = n; PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */ PUT(code, LINK_SIZE, 0); /* Default length */ |