perl/perl-regexp-refoverflow.diff

39 lines
1.4 KiB
Diff
Raw Normal View History

--- ./regcomp.c.orig 2013-05-10 02:30:48.000000000 +0000
+++ ./regcomp.c 2013-06-06 13:04:19.000000000 +0000
@@ -8998,7 +8998,7 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I
ret = reganode(pRExC_state, GOSUB, num);
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens) {
+ if (num < 0 || num > (I32)RExC_rx->nparens) {
RExC_parse++;
vFAIL("Reference to nonexistent group");
}
@@ -10654,7 +10654,7 @@ tryagain:
if (num < 1)
vFAIL("Reference to nonexistent or unclosed group");
}
- if (!isg && num > 9 && num >= RExC_npar)
+ if (!isg && (num < 0 || (num > 9 && num >= RExC_npar)))
/* Probably a character specified in octal, e.g. \35 */
goto defchar;
else {
@@ -10669,7 +10669,7 @@ tryagain:
RExC_parse++;
}
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens)
+ if (num < 0 || num > (I32)RExC_rx->nparens)
vFAIL("Reference to nonexistent group");
}
RExC_sawback = 1;
@@ -10934,7 +10934,7 @@ tryagain:
case '0': case '1': case '2': case '3':case '4':
case '5': case '6': case '7':
if (*p == '0' ||
- (isDIGIT(p[1]) && atoi(p) >= RExC_npar))
+ (isDIGIT(p[1]) && (U32)atoi(p) >= (U32)RExC_npar))
{
I32 flags = PERL_SCAN_SILENT_ILLDIGIT;
STRLEN numlen = 3;