Changeset 14736 in webkit for trunk/JavaScriptCore/pcre/pcre_compile.c

Timestamp:

Jun 5, 2006, 3:12:48 PM (19 years ago)

Author:

ggaren

Message:

Reviewed By Maciej.
Darin already reviewed this change on the branch. See <rdar://problem/4317701>.

• Fixed <rdar://problem/4291345> PCRE overflow in Safari JavaScriptCore

No test case because there's no behavior change.

• pcre/pcre_compile.c: (read_repeat_counts): Check for integer overflow / out of bounds

File:

• trunk/JavaScriptCore/pcre/pcre_compile.c (modified) (3 diffs)

trunk/JavaScriptCore/pcre/pcre_compile.c

@@ -719 +719 @@
 
 while ((DIGITAB(*p) & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+    *errorcodeptr = ERR5;
+    return p;
+  }
 
 if (*p == '}') max = min; else
@@ -726 +731 @@
     max = 0;
     while((DIGITAB(*p) & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+    {
+        *errorcodeptr = ERR5;
+        return p;
+    }
     if (max < min)
       {
@@ -734 +744 @@
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
-
-if (min > 65535 || max > 65535)
-  *errorcodeptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+/* Fill in the required variables, and pass back the pointer to the terminating '}'. */
+*minp = min;
+*maxp = max;
+
 return p;
 }