From: Fabian Keil Date: Sun, 8 May 2016 10:48:09 +0000 (+0000) Subject: pcre: Improve sanity check in read_repeat_counts() X-Git-Tag: v_3_0_25~34 X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/faq/user-manual/static?a=commitdiff_plain;h=00e2e09741f51b625dc4c67e7d0090241871c940;p=privoxy.git pcre: Improve sanity check in read_repeat_counts() While it supposedly was 'paranoid' already, it actually missed most of the invalid values which could cause buffer overflows later on. Found with afl-fuzz and ASAN. Not considered a security issue as the input is trusted. --- diff --git a/pcre/pcre.c b/pcre/pcre.c index 5824040c..4f8f82cd 100644 --- a/pcre/pcre.c +++ b/pcre/pcre.c @@ -730,7 +730,7 @@ if (*p == '}') max = min; else /* Do paranoid checks, then fill in the required variables, and pass back the pointer to the terminating '}'. */ -if (min > 65535 || max > 65535) +if (min < 0 || min > 65535 || max < -1 || max > 65535) *errorptr = ERR5; else {