perl/perl-regexp-refoverflow.diff

39 lines
1.5 KiB
Diff
Raw Normal View History

--- ./regcomp.c.orig 2009-07-27 21:37:52.000000000 +0000
+++ ./regcomp.c 2009-09-03 14:36:50.000000000 +0000
@@ -5787,7 +5787,7 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I
ret = reganode(pRExC_state, GOSUB, num);
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens) {
+ if (num < 0 || num > (I32)RExC_rx->nparens) {
RExC_parse++;
vFAIL("Reference to nonexistent group");
}
@@ -7234,7 +7234,7 @@ tryagain:
if (num < 1)
vFAIL("Reference to nonexistent or unclosed group");
}
- if (!isg && num > 9 && num >= RExC_npar)
+ if (!isg && (num < 0 || (num > 9 && num >= RExC_npar)))
goto defchar;
else {
char * const parse_start = RExC_parse - 1; /* MJD */
@@ -7248,7 +7248,7 @@ tryagain:
RExC_parse++;
}
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens)
+ if (num < 0 || num > (I32)RExC_rx->nparens)
vFAIL("Reference to nonexistent group");
}
RExC_sawback = 1;
@@ -7425,7 +7425,7 @@ tryagain:
case '0': case '1': case '2': case '3':case '4':
case '5': case '6': case '7': case '8':case '9':
if (*p == '0' ||
- (isDIGIT(p[1]) && atoi(p) >= RExC_npar) ) {
+ (isDIGIT(p[1]) && (U32)atoi(p) >= (U32)RExC_npar) ) {
I32 flags = 0;
STRLEN numlen = 3;
ender = grok_oct(p, &numlen, &flags, NULL);