Line 0
Link Here
|
|
|
1 |
--- regparse.c.orig 2016-12-12 01:27:00 UTC |
2 |
+++ regparse.c |
3 |
@@ -3032,7 +3032,7 @@ fetch_token_in_cc(OnigToken* tok, UChar* |
4 |
} |
5 |
else if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_X_HEX2)) { |
6 |
num = scan_unsigned_hexadecimal_number(&p, end, 2, enc); |
7 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
8 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
9 |
if (p == prev) { /* can't read nothing. */ |
10 |
num = 0; /* but, it's not error */ |
11 |
} |
12 |
@@ -3048,7 +3048,7 @@ fetch_token_in_cc(OnigToken* tok, UChar* |
13 |
prev = p; |
14 |
if (IS_SYNTAX_OP2(syn, ONIG_SYN_OP2_ESC_U_HEX4)) { |
15 |
num = scan_unsigned_hexadecimal_number(&p, end, 4, enc); |
16 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
17 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
18 |
if (p == prev) { /* can't read nothing. */ |
19 |
num = 0; /* but, it's not error */ |
20 |
} |
21 |
@@ -3064,7 +3064,7 @@ fetch_token_in_cc(OnigToken* tok, UChar* |
22 |
PUNFETCH; |
23 |
prev = p; |
24 |
num = scan_unsigned_octal_number(&p, end, 3, enc); |
25 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
26 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
27 |
if (p == prev) { /* can't read nothing. */ |
28 |
num = 0; /* but, it's not error */ |
29 |
} |
30 |
@@ -3371,7 +3371,7 @@ fetch_token(OnigToken* tok, UChar** src, |
31 |
} |
32 |
else if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_X_HEX2)) { |
33 |
num = scan_unsigned_hexadecimal_number(&p, end, 2, enc); |
34 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
35 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
36 |
if (p == prev) { /* can't read nothing. */ |
37 |
num = 0; /* but, it's not error */ |
38 |
} |
39 |
@@ -3387,7 +3387,7 @@ fetch_token(OnigToken* tok, UChar** src, |
40 |
prev = p; |
41 |
if (IS_SYNTAX_OP2(syn, ONIG_SYN_OP2_ESC_U_HEX4)) { |
42 |
num = scan_unsigned_hexadecimal_number(&p, end, 4, enc); |
43 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
44 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
45 |
if (p == prev) { /* can't read nothing. */ |
46 |
num = 0; /* but, it's not error */ |
47 |
} |
48 |
@@ -3436,7 +3436,7 @@ fetch_token(OnigToken* tok, UChar** src, |
49 |
if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) { |
50 |
prev = p; |
51 |
num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc); |
52 |
- if (num < 0) return ONIGERR_TOO_BIG_NUMBER; |
53 |
+ if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER; |
54 |
if (p == prev) { /* can't read nothing. */ |
55 |
num = 0; /* but, it's not error */ |
56 |
} |
57 |
@@ -4060,15 +4060,19 @@ next_state_class(CClassNode* cc, OnigCod |
58 |
return ONIGERR_CHAR_CLASS_VALUE_AT_END_OF_RANGE; |
59 |
|
60 |
if (*state == CCS_VALUE && *type != CCV_CLASS) { |
61 |
- if (*type == CCV_SB) |
62 |
+ if (*type == CCV_SB) { |
63 |
+ if (*vs > 0xff) |
64 |
+ return ONIGERR_INVALID_CODE_POINT_VALUE; |
65 |
BITSET_SET_BIT(cc->bs, (int )(*vs)); |
66 |
+ } |
67 |
else if (*type == CCV_CODE_POINT) { |
68 |
r = add_code_range(&(cc->mbuf), env, *vs, *vs); |
69 |
if (r < 0) return r; |
70 |
} |
71 |
} |
72 |
|
73 |
- *state = CCS_VALUE; |
74 |
+ if (*state != CCS_START) |
75 |
+ *state = CCS_VALUE; |
76 |
*type = CCV_CLASS; |
77 |
return 0; |
78 |
} |
79 |
@@ -4083,8 +4087,11 @@ next_state_val(CClassNode* cc, OnigCodeP |
80 |
|
81 |
switch (*state) { |
82 |
case CCS_VALUE: |
83 |
- if (*type == CCV_SB) |
84 |
+ if (*type == CCV_SB) { |
85 |
+ if (*vs > 0xff) |
86 |
+ return ONIGERR_INVALID_CODE_POINT_VALUE; |
87 |
BITSET_SET_BIT(cc->bs, (int )(*vs)); |
88 |
+ } |
89 |
else if (*type == CCV_CODE_POINT) { |
90 |
r = add_code_range(&(cc->mbuf), env, *vs, *vs); |
91 |
if (r < 0) return r; |