perl/perl-regexp-refoverflow.diff

39 lines
1.5 KiB
Diff

--- regcomp.c.orig 2010-02-28 20:12:22.000000000 +0000
+++ regcomp.c 2010-03-23 15:38:55.000000000 +0000
@@ -5818,7 +5818,7 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I
ret = reganode(pRExC_state, GOSUB, num);
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens) {
+ if (num < 0 || num > (I32)RExC_rx->nparens) {
RExC_parse++;
vFAIL("Reference to nonexistent group");
}
@@ -7260,7 +7260,7 @@ tryagain:
if (num < 1)
vFAIL("Reference to nonexistent or unclosed group");
}
- if (!isg && num > 9 && num >= RExC_npar)
+ if (!isg && (num < 0 || (num > 9 && num >= RExC_npar)))
goto defchar;
else {
char * const parse_start = RExC_parse - 1; /* MJD */
@@ -7274,7 +7274,7 @@ tryagain:
RExC_parse++;
}
if (!SIZE_ONLY) {
- if (num > (I32)RExC_rx->nparens)
+ if (num < 0 || num > (I32)RExC_rx->nparens)
vFAIL("Reference to nonexistent group");
}
RExC_sawback = 1;
@@ -7451,7 +7451,7 @@ tryagain:
case '0': case '1': case '2': case '3':case '4':
case '5': case '6': case '7': case '8':case '9':
if (*p == '0' ||
- (isDIGIT(p[1]) && atoi(p) >= RExC_npar) ) {
+ (isDIGIT(p[1]) && (U32)atoi(p) >= (U32)RExC_npar) ) {
I32 flags = 0;
STRLEN numlen = 3;
ender = grok_oct(p, &numlen, &flags, NULL);