SOURCES: gnumeric-CAN-2005-2491.patch (NEW) - fix for heap overflo...

adamg adamg at pld-linux.org
Sun Sep 4 14:47:20 CEST 2005 

Author: adamg                        Date: Sun Sep  4 12:47:20 2005 GMT
Module: SOURCES                       Tag: HEAD
---- Log message:
- fix for heap overflow in the included PCRE library (CAN-2005-2491)
- release 5

---- Files affected:
SOURCES:
   gnumeric-CAN-2005-2491.patch (NONE -> 1.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/gnumeric-CAN-2005-2491.patch
diff -u /dev/null SOURCES/gnumeric-CAN-2005-2491.patch:1.1
--- /dev/null	Sun Sep  4 14:47:20 2005
+++ SOURCES/gnumeric-CAN-2005-2491.patch	Sun Sep  4 14:47:15 2005
@@ -0,0 +1,126 @@
+diff -NurdB gnumeric-1.4.3/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c gnumeric-1.4.3-patched/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c
+--- gnumeric-1.4.3/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c	2004-10-29 13:13:19.000000000 -0500
++++ gnumeric-1.4.3-patched/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c	2005-09-01 01:22:28.000000000 -0500
+@@ -1062,7 +1062,18 @@
+ int min = 0;
+ int max = -1;
+ 
++/* Read the minimum value and do a paranoid check: a negative value indicates
++an integer overflow. */
++
+ while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
++if (min < 0 || min > 65535)
++  {
++  *errorptr = ERR5;
++  return p;
++  }
++
++/* Read the maximum value if there is one, and again do a paranoid on its size.
++Also, max must not be less than min. */
+ 
+ if (*p == '}') max = min; else
+   {
+@@ -1070,6 +1081,11 @@
+     {
+     max = 0;
+     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
++    if (max < 0 || max > 65535)
++      {
++      *errorptr = ERR5;
++      return p;
++      }
+     if (max < min)
+       {
+       *errorptr = ERR4;
+@@ -1078,16 +1094,10 @@
+     }
+   }
+ 
+-/* Do paranoid checks, then fill in the required variables, and pass back the
+-pointer to the terminating '}'. */
++/* Fill in the required variables, and pass back the pointer to the terminating '}'. */
+ 
+-if (min > 65535 || max > 65535)
+-  *errorptr = ERR5;
+-else
+-  {
+-  *minp = min;
+-  *maxp = max;
+-  }
++*minp = min;
++*maxp = max;
+ return p;
+ }
+ 
+@@ -4128,6 +4138,7 @@
+ BOOL class_utf8;
+ #endif
+ BOOL inescq = FALSE;
++BOOL capturing;
+ unsigned int brastackptr = 0;
+ size_t size;
+ uschar *code;
+@@ -4543,6 +4554,7 @@
+     case '(':
+     branch_newextra = 0;
+     bracket_length = 1 + LINK_SIZE;
++    capturing = FALSE;
+ 
+     /* Handle special forms of bracket, which all start (? */
+ 
+@@ -4630,6 +4642,9 @@
+ 
+         case 'P':
+         ptr += 3;
++
++        /* Handle the definition of a named subpattern */
++
+         if (*ptr == '<')
+           {
+           const uschar *p;    /* Don't amalgamate; some compilers */
+@@ -4642,9 +4657,12 @@
+             }
+           name_count++;
+           if (ptr - p > max_name_size) max_name_size = (ptr - p);
++          capturing = TRUE;   /* Named parentheses are always capturing */
+           break;
+           }
+ 
++        /* Handle back references and recursive calls to named subpatterns */
++
+         if (*ptr == '=' || *ptr == '>')
+           {
+           while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0);
+@@ -4819,18 +4837,24 @@
+           continue;
+           }
+ 
+-        /* If options were terminated by ':' control comes here. Fall through
+-        to handle the group below. */
++        /* If options were terminated by ':' control comes here. This is a
++        non-capturing group with an options change. There is nothing more that
++        needs to be done because "capturing" is already set FALSE by default;
++        we can just fall through. */
++
+         }
+       }
+ 
+-    /* Extracting brackets must be counted so we can process escapes in a
+-    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to
+-    need an additional 3 bytes of store per extracting bracket. However, if
+-    PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we
+-    must leave the count alone (it will aways be zero). */
++    /* Ordinary parentheses, not followed by '?', are capturing unless
++    PCRE_NO_AUTO_CAPTURE is set. */
+ 
+-    else if ((options & PCRE_NO_AUTO_CAPTURE) == 0)
++    else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0;
++
++    /* Capturing brackets must be counted so we can process escapes in a
++    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need
++    an additional 3 bytes of memory per capturing bracket. */
++
++    if (capturing)
+       {
+       bracount++;
+       if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3;
================================================================

More information about the pld-cvs-commit mailing list