Comment 24 for bug 20215

Hi!

Since I have to fix apache2 2.0.50 for Ubuntu, which still has an
embedded pcre 3.x, I also took a look at the woody version. I took a
look at the code and played with the test suite, and it seems to me
that the capture part works ok; just the integer underflow must be
fixed:

--- pcre.c
+++ pcre.c
@@ -733,7 +733,7 @@
 /* Do paranoid checks, then fill in the required variables, and pass back the
 pointer to the terminating '}'. */

-if (min > 65535 || max > 65535)
+if (min < 0 || min > 65535 || max < 0 || max > 65535)
   *errorptr = ERR5;
 else
   {

However, it would be nice to have a second pair of eyes to confirm
that this version is not vulnerable to the capturing overflow.

Thanks,

Martin
--
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org