Reviewed By Maciej.
authorggaren <ggaren@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jun 2006 22:12:48 +0000 (22:12 +0000)
committerggaren <ggaren@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
Mon, 5 Jun 2006 22:12:48 +0000 (22:12 +0000)
        Darin already reviewed this change on the branch. See <rdar://problem/4317701>.

        - Fixed <rdar://problem/4291345> PCRE overflow in Safari JavaScriptCore

        No test case because there's no behavior change.

        * pcre/pcre_compile.c:
        (read_repeat_counts): Check for integer overflow / out of bounds

git-svn-id: https://svn.webkit.org/repository/webkit/trunk@14736 268f45cc-cd09-0410-ab3c-d52691b4dbfc

JavaScriptCore/ChangeLog
JavaScriptCore/JavaScriptCore.xcodeproj/project.pbxproj
JavaScriptCore/pcre/pcre_compile.c

index 8af607c53b34c0334d0bbd7df3eb0d368f86c888..163bed0f4b1eb9d658900f37a6b3e5c53721e890 100644 (file)
@@ -1,3 +1,15 @@
+2006-06-05  Geoffrey Garen  <ggaren@apple.com>
+
+        Reviewed By Maciej.
+        Darin already reviewed this change on the branch. See <rdar://problem/4317701>.
+        
+        - Fixed <rdar://problem/4291345> PCRE overflow in Safari JavaScriptCore
+
+        No test case because there's no behavior change.
+        
+        * pcre/pcre_compile.c:
+        (read_repeat_counts): Check for integer overflow / out of bounds
+
 2006-06-05  Geoffrey Garen  <ggaren@apple.com>
 
         Reviewed by aliu.
index 803ec5feedcd79bb14bc565ebd54d2123db8097e..9a6306dad5810ec344be219d4230c95ac02c7a3f 100644 (file)
                E195679909E7CF1200B89D13 /* UnicodeCategory.h in Headers */ = {isa = PBXBuildFile; fileRef = E195679509E7CF1200B89D13 /* UnicodeCategory.h */; };
 /* End PBXBuildFile section */
 
-/* Begin PBXBuildStyle section */
-               1442B6C20A24D53E00AE84F6 /* Development */ = {
-                       isa = PBXBuildStyle;
-                       buildSettings = {
-                               COPY_PHASE_STRIP = NO;
-                       };
-                       name = Development;
-               };
-               1442B6C30A24D53E00AE84F6 /* Deployment */ = {
-                       isa = PBXBuildStyle;
-                       buildSettings = {
-                               COPY_PHASE_STRIP = YES;
-                       };
-                       name = Deployment;
-               };
-/* End PBXBuildStyle section */
-
 /* Begin PBXContainerItemProxy section */
                65FB3F7D09D11EF300F49DEB /* PBXContainerItemProxy */ = {
                        isa = PBXContainerItemProxy;
                0867D690FE84028FC02AAC07 /* Project object */ = {
                        isa = PBXProject;
                        buildConfigurationList = 149C277108902AFE008A9EFC /* Build configuration list for PBXProject "JavaScriptCore" */;
-                       buildSettings = {
-                       };
-                       buildStyles = (
-                               1442B6C20A24D53E00AE84F6 /* Development */,
-                               1442B6C30A24D53E00AE84F6 /* Deployment */,
-                       );
                        hasScannedForEncodings = 1;
                        mainGroup = 0867D691FE84028FC02AAC07 /* JavaScriptCore */;
                        productRefGroup = 034768DFFF38A50411DB9C8B /* Products */;
index c30b23c0d42b0ca05ea34594c1f5767f938235b9..98b484e90fd12a4c3fdd731ca968e1e82e4cbb0e 100644 (file)
@@ -718,6 +718,11 @@ int min = 0;
 int max = -1;
 
 while ((DIGITAB(*p) & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+    *errorcodeptr = ERR5;
+    return p;
+  }
 
 if (*p == '}') max = min; else
   {
@@ -725,6 +730,11 @@ if (*p == '}') max = min; else
     {
     max = 0;
     while((DIGITAB(*p) & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+    {
+        *errorcodeptr = ERR5;
+        return p;
+    }
     if (max < min)
       {
       *errorcodeptr = ERR4;
@@ -733,16 +743,10 @@ if (*p == '}') max = min; else
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating '}'. */
+*minp = min;
+*maxp = max;
 
-if (min > 65535 || max > 65535)
-  *errorcodeptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
 return p;
 }