From: Joe Orton <jorton@apache.org>
Date: Wed, 21 Sep 2005 08:51:11 +0000 (+0000)
Subject: Merge r233493 from trunk:
X-Git-Tag: 2.0.55~29
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=385c6a4d03818898fbb8c5b5303ee21a4116a17b;p=thirdparty%2Fapache%2Fhttpd.git

Merge r233493 from trunk:

* srclib/pcre/pcre.c (read_repeat_counts): Check for integer overflow.

Obtained from: pcre 6.2 upstream
Reviewed by: jorton, nd, wrowe


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.0.x@290658 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 696ad2afc8d..16fc6c14dd9 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,11 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache 2.0.55
 
+  *) SECURITY: CAN-2005-2491 (cve.mitre.org): 
+     Fix integer overflows in PCRE in quantifier parsing which could
+     be triggered by a local user through use of a carefully-crafted 
+     regex in an .htaccess file.  [Philip Hazel]
+
   *) SECURITY: CAN-2005-2088 (cve.mitre.org)
      proxy: Correctly handle the Transfer-Encoding and Content-Length
      headers.  Discard the request Content-Length whenever T-E: chunked
diff --git a/STATUS b/STATUS
index 8964f61ae6b..a67d54ec30b 100644
--- a/STATUS
+++ b/STATUS
@@ -171,12 +171,6 @@ PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
        +1: pquerna, nd, wrowe
        Votes from before the integration branch: +1: jerenkrantz
 
-    *) Fix CAN-2005-2491, integer overflow in pcre.
-         http://svn.apache.org/viewcvs?rev=233493&view=rev
-       rediff for 2.0: http://people.apache.org/~jorton/CAN-2005-2491.patch
-       test case: perl-framework/t/security/CAN-2005-2491.t
-       +1: jorton, nd, wrowe
-
 PATCHES PROPOSED TO BACKPORT FROM TRUNK:
   [ please place SVN revisions from trunk here, so it is easy to
     identify exactly what the proposed changes are!  Add all new
diff --git a/srclib/pcre/pcre.c b/srclib/pcre/pcre.c
index ad3ddc7c573..56e1b106498 100644
--- a/srclib/pcre/pcre.c
+++ b/srclib/pcre/pcre.c
@@ -714,7 +714,18 @@ read_repeat_counts(const uschar *p, int *minp, int *maxp,
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((cd->ctypes[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -722,6 +733,11 @@ if (*p == '}') max = min; else
     {
     max = 0;
     while((cd->ctypes[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -730,16 +746,11 @@ if (*p == '}') max = min; else
     }
   }
 
-/* Do paranoid checks, then fill in the required variables, and pass back the
-pointer to the terminating '}'. */
+/* Fill in the required variables, and pass back the pointer to the terminating
+'}'. */
 
-if (min > 65535 || max > 65535)
-  *errorptr = ERR5;
-else
-  {
-  *minp = min;
-  *maxp = max;
-  }
+*minp = min;
+*maxp = max;
 return p;
 }