Update of /cvsroot/python/python/dist/src/Modules In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv12325 Modified Files: Tag: release23-maint pypcre.c Log Message: Apply fix for potential heap overflow in PCRE code (CAN-2005-2491) Index: pypcre.c =================================================================== RCS file: /cvsroot/python/python/dist/src/Modules/Attic/pypcre.c,v retrieving revision 2.25.16.1 retrieving revision 2.25.16.2 diff -u -d -r2.25.16.1 -r2.25.16.2 --- pypcre.c 20 Oct 2003 14:34:47 -0000 2.25.16.1 +++ pypcre.c 31 Aug 2005 12:55:21 -0000 2.25.16.2 @@ -1163,7 +1163,18 @@ int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((pcre_ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid check +on its size. Also, max must not be less than min. */ if (*p == '}') max = min; else { @@ -1171,6 +1182,11 @@ { max = 0; while((pcre_ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@ -1179,16 +1195,11 @@ } } -/* Do paranoid checks, then fill in the required variables, and pass back the -pointer to the terminating '}'. */ +/* Fill in the required variables, and pass back the pointer to the terminating +'}'. */ -if (min > 65535 || max > 65535) - *errorptr = ERR5; -else - { - *minp = min; - *maxp = max; - } +*minp = min; +*maxp = max; return p; }