Attachment #138282 for bug #198373




clever for #-comments. */

ptr = (const uschar *)(pattern - 1);
while (((c = *(++ptr)) != 0) && (length > 0) && (length <= 65535))
  {
  int min, max;
  int class_charcount;

      to do before the first copy if the minimum is zero. */

      if (minval == 0) length++;
        else if (minval > 1) 
        {
            size_t tmp = (minval - 1) * duplength;

            if (duplength != (tmp / (minval - 1)))
                goto PCRE_OVER_FLOW_ERROR_RETURN;
            length += tmp;
        }
      if (maxval > minval) 
      {
          size_t tmp = (maxval - minval) * (duplength + 1);

            if ((duplength + 1) != (tmp / (maxval - minval)))
                goto PCRE_OVER_FLOW_ERROR_RETURN;

          length += tmp;
      }
      }
    continue;


    }
  }

if ((length > 65535) || (length < 3))

if (length > 65539)
  {
  PCRE_OVER_FLOW_ERROR_RETURN:
  *errorptr = ERR20;
  return NULL;
  }

length += 4;    /* For final KET and END */

/* Compute the size of data block needed and get it, either from malloc or
externally provided function. We specify "code[0]" in the offsetof() expression
rather than just "code", because it has been reported that one broken compiler

Return to bug 198373

Lines 2318-2324 if an "extended" flag setting appears la Link Here

(-)Python-2.3.4-orig/Modules/pypcre.c (-6 / +22 lines)
2318	clever for #-comments. */	2318	clever for #-comments. */
2319		2319
2320	ptr = (const uschar *)(pattern - 1);	2320	ptr = (const uschar *)(pattern - 1);
2321	while ((c = *(++ptr)) != 0)	2321	while (((c = *(++ptr)) != 0) && (length > 0) && (length <= 65535))
2322	{	2322	{
2323	int min, max;	2323	int min, max;
2324	int class_charcount;	2324	int class_charcount;
Lines 2602-2609 while ((c = *(++ptr)) != 0) Link Here
2602	to do before the first copy if the minimum is zero. */	2602	to do before the first copy if the minimum is zero. */
2603		2603
2604	if (minval == 0) length++;	2604	if (minval == 0) length++;
2605	else if (minval > 1) length += (minval - 1) * duplength;	2605	else if (minval > 1)
2606	if (maxval > minval) length += (maxval - minval) * (duplength + 1);	2606	{
		2607	size_t tmp = (minval - 1) * duplength;
		2608
		2609	if (duplength != (tmp / (minval - 1)))
		2610	goto PCRE_OVER_FLOW_ERROR_RETURN;
		2611	length += tmp;
		2612	}
		2613	if (maxval > minval)
		2614	{
		2615	size_t tmp = (maxval - minval) * (duplength + 1);
		2616
		2617	if ((duplength + 1) != (tmp / (maxval - minval)))
		2618	goto PCRE_OVER_FLOW_ERROR_RETURN;
		2619
		2620	length += tmp;
		2621	}
2607	}	2622	}
2608	continue;	2623	continue;
2609		2624
Lines 2656-2669 while ((c = *(++ptr)) != 0) Link Here
2656	}	2671	}
2657	}	2672	}
2658		2673
2659	length += 4; /* For final KET and END */	2674	if ((length > 65535) \|\| (length < 3))
2660
2661	if (length > 65539)
2662	{	2675	{
		2676	PCRE_OVER_FLOW_ERROR_RETURN:
2663	*errorptr = ERR20;	2677	*errorptr = ERR20;
2664	return NULL;	2678	return NULL;
2665	}	2679	}
2666		2680
		2681	length += 4; /* For final KET and END */
		2682
2667	/* Compute the size of data block needed and get it, either from malloc or	2683	/* Compute the size of data block needed and get it, either from malloc or
2668	externally provided function. We specify "code[0]" in the offsetof() expression	2684	externally provided function. We specify "code[0]" in the offsetof() expression
2669	rather than just "code", because it has been reported that one broken compiler	2685	rather than just "code", because it has been reported that one broken compiler