[webkit-changes] cvs commit: JavaScriptCore/pcre pcre.c
Timothy
thatcher at opensource.apple.com
Fri Nov 4 16:02:55 PST 2005
thatcher 05/11/04 16:02:54
Modified: . Tag: Safari-1-3-branch ChangeLog
pcre Tag: Safari-1-3-branch pcre.c
Log:
Merging fix from Ti-2005-009-branch to Safari-1-3-branch
2005-11-04 Geoffrey Garen <ggaren at apple.com>
Reviewed by darin.
- Fixed <rdar://problem/4317701> *SecUpd: Tiger* PCRE heap overflow
in Safari JavaScriptCore
* pcre/pcre.c:
(read_repeat_counts): We now return an error for negative repeat counts
in regular expressions. This matches Firefox exactly, and Win IE by
effect (Win IE doesn't return an error, but it does refuse to match
anything).
Revision Changes Path
No revision
No revision
1.677.4.4 +17 -0 JavaScriptCore/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/JavaScriptCore/ChangeLog,v
retrieving revision 1.677.4.3
retrieving revision 1.677.4.4
diff -u -r1.677.4.3 -r1.677.4.4
--- ChangeLog 13 Jul 2005 22:50:16 -0000 1.677.4.3
+++ ChangeLog 5 Nov 2005 00:02:49 -0000 1.677.4.4
@@ -1,3 +1,20 @@
+2005-11-4 Timothy Hatcher <timothy at apple.com>
+
+ Merging fix from Ti-2005-009-branch to Safari-1-3-branch
+
+ 2005-11-04 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by darin.
+
+ - Fixed <rdar://problem/4317701> *SecUpd: Tiger* PCRE heap overflow
+ in Safari JavaScriptCore
+
+ * pcre/pcre.c:
+ (read_repeat_counts): We now return an error for negative repeat counts
+ in regular expressions. This matches Firefox exactly, and Win IE by
+ effect (Win IE doesn't return an error, but it does refuse to match
+ anything).
+
=== JavaScriptCore-312.1 ===
2005-07-12 Adele Peterson <adele at apple.com>
No revision
No revision
1.3.10.2 +15 -9 JavaScriptCore/pcre/Attic/pcre.c
Index: pcre.c
===================================================================
RCS file: /cvs/root/JavaScriptCore/pcre/Attic/pcre.c,v
retrieving revision 1.3.10.1
retrieving revision 1.3.10.2
diff -u -r1.3.10.1 -r1.3.10.2
--- pcre.c 12 Jul 2005 16:23:33 -0000 1.3.10.1
+++ pcre.c 5 Nov 2005 00:02:53 -0000 1.3.10.2
@@ -771,6 +771,11 @@
int max = -1;
while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (*p == '}') max = min; else
{
@@ -778,6 +783,11 @@
{
max = 0;
while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (max < min)
{
*errorptr = ERR4;
@@ -786,16 +796,12 @@
}
}
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* fill in the required variables, and pass back the pointer to the
+terminating '}'. */
+
+*minp = min;
+*maxp = max;
-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
return p;
}
More information about the webkit-changes
mailing list