From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 8 May 2016 10:48:09 +0000 (+0000)
Subject: pcre: Improve sanity check in read_repeat_counts()
X-Git-Tag: v_3_0_25~34
X-Git-Url: http://www.privoxy.org/gitweb/%22https:/developer-manual/static/@default-cgi@edit-actions-list?a=commitdiff_plain;h=00e2e09741f51b625dc4c67e7d0090241871c940;p=privoxy.git

pcre: Improve sanity check in read_repeat_counts()

While it supposedly was 'paranoid' already, it actually
missed most of the invalid values which could cause buffer
overflows later on.

Found with afl-fuzz and ASAN.
Not considered a security issue as the input is trusted.
---

diff --git a/pcre/pcre.c b/pcre/pcre.c
index 5824040c..4f8f82cd 100644
--- a/pcre/pcre.c
+++ b/pcre/pcre.c
@@ -730,7 +730,7 @@ if (*p == '}') max = min; else
 /* Do paranoid checks, then fill in the required variables, and pass back the
 pointer to the terminating '}'. */
 
-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < -1 || max > 65535)
   *errorptr = ERR5;
 else
   {