blob: 625708d7c21bf8c5da2b99cee9a8c1f72e7d2bb9 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From: Matthew Vernon <matthew@debian.org>
Date: Thu, 18 Jun 2020 19:32:51 +0100
X-Dgit-Generated: 2:8.39-13 7b88c83f87391950756256072f886a08c44ed78f
Subject: upstream patch fixing CVE-2020-14155
This checks the size of the number after (?C as it is read, in order
to avoid integer overflow.
---
--- pcre3-8.39.orig/pcre_compile.c
+++ pcre3-8.39/pcre_compile.c
@@ -7086,17 +7086,19 @@ for (;; ptr++)
int n = 0;
ptr++;
while(IS_DIGIT(*ptr))
+ {
n = n * 10 + *ptr++ - CHAR_0;
+ if (n > 255)
+ {
+ *errorcodeptr = ERR38;
+ goto FAILED;
+ }
+ }
if (*ptr != CHAR_RIGHT_PARENTHESIS)
{
*errorcodeptr = ERR39;
goto FAILED;
}
- if (n > 255)
- {
- *errorcodeptr = ERR38;
- goto FAILED;
- }
*code++ = n;
PUT(code, 0, (int)(ptr - cd->start_pattern + 1)); /* Pattern offset */
PUT(code, LINK_SIZE, 0); /* Default length */
|