pcre: Improve sanity check in read_repeat_counts()

While it supposedly was 'paranoid' already, it actually
missed most of the invalid values which could cause buffer
overflows later on.

Found with afl-fuzz and ASAN.
Not considered a security issue as the input is trusted.

diff --git a/pcre/pcre.c b/pcre/pcre.c
index 5824040..4f8f82c 100644 (file)
--- a/pcre/pcre.c
+++ b/pcre/pcre.c
@@ -730,7 +730,7 @@ if (*p == '}') max = min; else
 /* Do paranoid checks, then fill in the required variables, and pass back the
 pointer to the terminating '}'. */
 
-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < -1 || max > 65535)
   *errorptr = ERR5;
 else
   {