[webkit-changes] cvs commit: JavaScriptCore/pcre pcre.c
Timothy
thatcher at opensource.apple.com
Thu Nov 10 09:36:36 PST 2005
thatcher 05/11/10 09:36:36
Modified: . Tag: Safari-2-0-branch ChangeLog
pcre Tag: Safari-2-0-branch pcre.c
Log:
Merges fixes from Ti-2005-009-branch to Safari-2-0-branch
2005-11-04 Geoffrey Garen <ggaren at apple.com>
Reviewed by darin.
- Fixed <rdar://problem/4317701> *SecUpd: Tiger* PCRE heap overflow
in Safari JavaScriptCore
* pcre/pcre.c:
(read_repeat_counts): We now return an error for negative repeat counts
in regular expressions. This matches Firefox exactly, and Win IE by
effect (Win IE doesn't return an error, but it does refuse to match
anything).
Revision Changes Path
No revision
No revision
1.677.6.53 +17 -0 JavaScriptCore/ChangeLog
Index: ChangeLog
===================================================================
RCS file: /cvs/root/JavaScriptCore/ChangeLog,v
retrieving revision 1.677.6.52
retrieving revision 1.677.6.53
diff -u -r1.677.6.52 -r1.677.6.53
--- ChangeLog 10 Nov 2005 17:26:32 -0000 1.677.6.52
+++ ChangeLog 10 Nov 2005 17:36:30 -0000 1.677.6.53
@@ -1,3 +1,20 @@
+2005-11-10 Timothy Hatcher <timothy at apple.com>
+
+ Merges fixes from Ti-2005-009-branch to Safari-2-0-branch
+
+ 2005-11-04 Geoffrey Garen <ggaren at apple.com>
+
+ Reviewed by darin.
+
+ - Fixed <rdar://problem/4317701> *SecUpd: Tiger* PCRE heap overflow
+ in Safari JavaScriptCore
+
+ * pcre/pcre.c:
+ (read_repeat_counts): We now return an error for negative repeat counts
+ in regular expressions. This matches Firefox exactly, and Win IE by
+ effect (Win IE doesn't return an error, but it does refuse to match
+ anything).
+
2005-11-04 Geoffrey Garen <ggaren at apple.com>
Reviewed by Darin.
No revision
No revision
1.3.12.4 +15 -9 JavaScriptCore/pcre/Attic/pcre.c
Index: pcre.c
===================================================================
RCS file: /cvs/root/JavaScriptCore/pcre/Attic/pcre.c,v
retrieving revision 1.3.12.3
retrieving revision 1.3.12.4
diff -u -r1.3.12.3 -r1.3.12.4
--- pcre.c 10 Nov 2005 17:26:36 -0000 1.3.12.3
+++ pcre.c 10 Nov 2005 17:36:34 -0000 1.3.12.4
@@ -771,6 +771,11 @@
int max = -1;
while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (*p == '}') max = min; else
{
@@ -778,6 +783,11 @@
{
max = 0;
while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+ if (max < 0 || max > 65535)
+ {
+ *errorptr = ERR5;
+ return p;
+ }
if (max < min)
{
*errorptr = ERR4;
@@ -786,16 +796,12 @@
}
}
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* fill in the required variables, and pass back the pointer to the
+terminating '}'. */
+
+*minp = min;
+*maxp = max;
-if (min > 65535 || max > 65535)
- *errorptr = ERR5;
-else
- {
- *minp = min;
- *maxp = max;
- }
return p;
}
More information about the webkit-changes
mailing list