You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by jo...@apache.org on 2005/08/19 17:56:39 UTC

svn commit: r233493 - in /httpd/httpd/trunk: CHANGES srclib/pcre/pcre.c

Author: jorton
Date: Fri Aug 19 08:56:36 2005
New Revision: 233493

URL: http://svn.apache.org/viewcvs?rev=233493&view=rev
Log:
Backport patch from pcre 6.2 to fix integer overflows in quantifier
parsing:

* srclib/pcre/pcre.c (read_repeat_counts): Check for integer overflow.

Obtained from: pcre 6.2 upstream

Modified:
    httpd/httpd/trunk/CHANGES
    httpd/httpd/trunk/srclib/pcre/pcre.c

Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/CHANGES?rev=233493&r1=233492&r2=233493&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Fri Aug 19 08:56:36 2005
@@ -1,6 +1,11 @@
                                                         -*- coding: utf-8 -*-
 Changes with Apache 2.3.0
 
+  *) SECURITY: CAN-2005-2491 (cve.mitre.org): 
+     Fix integer overflows in PCRE in quantifier parsing which could
+     be triggered by a local user through use of a carefully-crafted 
+     regex in an .htaccess file.  [Philip Hazel]
+
   *) mod_proxy/mod_proxy_balancer: Provide a simple, functional
      interface to add additional balancer lb selection methods
      without requiring code changes to mod_proxy/mod_proxy_balancer;

Modified: httpd/httpd/trunk/srclib/pcre/pcre.c
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/srclib/pcre/pcre.c?rev=233493&r1=233492&r2=233493&view=diff
==============================================================================
--- httpd/httpd/trunk/srclib/pcre/pcre.c (original)
+++ httpd/httpd/trunk/srclib/pcre/pcre.c Fri Aug 19 08:56:36 2005
@@ -1247,7 +1247,18 @@
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -1255,6 +1266,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -1263,16 +1279,11 @@
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
 
-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }