From 00e2e09741f51b625dc4c67e7d0090241871c940 Mon Sep 17 00:00:00 2001
From: Fabian Keil <fk@fabiankeil.de>
Date: Sun, 8 May 2016 10:48:09 +0000
Subject: [PATCH] pcre: Improve sanity check in read_repeat_counts()

While it supposedly was 'paranoid' already, it actually
missed most of the invalid values which could cause buffer
overflows later on.

Found with afl-fuzz and ASAN.
Not considered a security issue as the input is trusted.
---
 pcre/pcre.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pcre/pcre.c b/pcre/pcre.c
index 5824040c..4f8f82cd 100644
--- a/pcre/pcre.c
+++ b/pcre/pcre.c
@@ -730,7 +730,7 @@ if (*p == '}') max = min; else
 /* Do paranoid checks, then fill in the required variables, and pass back the
 pointer to the terminating '}'. */
 
-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < -1 || max > 65535)
   *errorptr = ERR5;
 else
   {
-- 
2.39.2