Commit 43eef597 authored by ggaren's avatar ggaren

Reviewed By Maciej.

        Darin already reviewed this change on the branch. See <rdar://problem/4317701>.
        
        - Fixed <rdar://problem/4291345> PCRE overflow in Safari JavaScriptCore

        No test case because there's no behavior change.
        
        * pcre/pcre_compile.c:
        (read_repeat_counts): Check for integer overflow / out of bounds



git-svn-id: http://svn.webkit.org/repository/webkit/trunk@14736 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 27b705a1
2006-06-05 Geoffrey Garen <ggaren@apple.com>
Reviewed By Maciej.
Darin already reviewed this change on the branch. See <rdar://problem/4317701>.
- Fixed <rdar://problem/4291345> PCRE overflow in Safari JavaScriptCore
No test case because there's no behavior change.
* pcre/pcre_compile.c:
(read_repeat_counts): Check for integer overflow / out of bounds
2006-06-05 Geoffrey Garen <ggaren@apple.com>
Reviewed by aliu.
......
......@@ -229,23 +229,6 @@
E195679909E7CF1200B89D13 /* UnicodeCategory.h in Headers */ = {isa = PBXBuildFile; fileRef = E195679509E7CF1200B89D13 /* UnicodeCategory.h */; };
/* End PBXBuildFile section */
/* Begin PBXBuildStyle section */
1442B6C20A24D53E00AE84F6 /* Development */ = {
isa = PBXBuildStyle;
buildSettings = {
COPY_PHASE_STRIP = NO;
};
name = Development;
};
1442B6C30A24D53E00AE84F6 /* Deployment */ = {
isa = PBXBuildStyle;
buildSettings = {
COPY_PHASE_STRIP = YES;
};
name = Deployment;
};
/* End PBXBuildStyle section */
/* Begin PBXContainerItemProxy section */
65FB3F7D09D11EF300F49DEB /* PBXContainerItemProxy */ = {
isa = PBXContainerItemProxy;
......@@ -999,12 +982,6 @@
0867D690FE84028FC02AAC07 /* Project object */ = {
isa = PBXProject;
buildConfigurationList = 149C277108902AFE008A9EFC /* Build configuration list for PBXProject "JavaScriptCore" */;
buildSettings = {
};
buildStyles = (
1442B6C20A24D53E00AE84F6 /* Development */,
1442B6C30A24D53E00AE84F6 /* Deployment */,
);
hasScannedForEncodings = 1;
mainGroup = 0867D691FE84028FC02AAC07 /* JavaScriptCore */;
productRefGroup = 034768DFFF38A50411DB9C8B /* Products */;
......
......@@ -718,6 +718,11 @@ int min = 0;
int max = -1;
while ((DIGITAB(*p) & ctype_digit) != 0) min = min * 10 + *p++ - '0';
if (min < 0 || min > 65535)
{
*errorcodeptr = ERR5;
return p;
}
if (*p == '}') max = min; else
{
......@@ -725,6 +730,11 @@ if (*p == '}') max = min; else
{
max = 0;
while((DIGITAB(*p) & ctype_digit) != 0) max = max * 10 + *p++ - '0';
if (max < 0 || max > 65535)
{
*errorcodeptr = ERR5;
return p;
}
if (max < min)
{
*errorcodeptr = ERR4;
......@@ -733,16 +743,10 @@ if (*p == '}') max = min; else
}
}
/* Do paranoid checks, then fill in the required variables, and pass back the
pointer to the terminating '}'. */
/* Fill in the required variables, and pass back the pointer to the terminating '}'. */
*minp = min;
*maxp = max;
if (min > 65535 || max > 65535)
*errorcodeptr = ERR5;
else
{
*minp = min;
*maxp = max;
}
return p;
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment