diff -NurdB gnumeric-1.4.3/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c gnumeric-1.4.3-patched/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c --- gnumeric-1.4.3/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c 2004-10-29 13:13:19.000000000 -0500 +++ gnumeric-1.4.3-patched/src/cut-n-paste-code/goffice/cut-n-paste/pcre/pcre.c 2005-09-01 01:22:28.000000000 -0500 @@ -1062,7 +1062,18 @@ int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid on its size. +Also, max must not be less than min. */ if (*p == '}') max = min; else { @@ -1070,6 +1081,11 @@ { max = 0; while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@ -1078,16 +1094,10 @@ } } -/* Do paranoid checks, then fill in the required variables, and pass back the -pointer to the terminating '}'. */ +/* Fill in the required variables, and pass back the pointer to the terminating '}'. */ -if (min > 65535 || max > 65535) - *errorptr = ERR5; -else - { - *minp = min; - *maxp = max; - } +*minp = min; +*maxp = max; return p; } @@ -4128,6 +4138,7 @@ BOOL class_utf8; #endif BOOL inescq = FALSE; +BOOL capturing; unsigned int brastackptr = 0; size_t size; uschar *code; @@ -4543,6 +4554,7 @@ case '(': branch_newextra = 0; bracket_length = 1 + LINK_SIZE; + capturing = FALSE; /* Handle special forms of bracket, which all start (? */ @@ -4630,6 +4642,9 @@ case 'P': ptr += 3; + + /* Handle the definition of a named subpattern */ + if (*ptr == '<') { const uschar *p; /* Don't amalgamate; some compilers */ @@ -4642,9 +4657,12 @@ } name_count++; if (ptr - p > max_name_size) max_name_size = (ptr - p); + capturing = TRUE; /* Named parentheses are always capturing */ break; } + /* Handle back references and recursive calls to named subpatterns */ + if (*ptr == '=' || *ptr == '>') { while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0); @@ -4819,18 +4837,24 @@ continue; } - /* If options were terminated by ':' control comes here. Fall through - to handle the group below. */ + /* If options were terminated by ':' control comes here. This is a + non-capturing group with an options change. There is nothing more that + needs to be done because "capturing" is already set FALSE by default; + we can just fall through. */ + } } - /* Extracting brackets must be counted so we can process escapes in a - Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to - need an additional 3 bytes of store per extracting bracket. However, if - PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we - must leave the count alone (it will aways be zero). */ + /* Ordinary parentheses, not followed by '?', are capturing unless + PCRE_NO_AUTO_CAPTURE is set. */ - else if ((options & PCRE_NO_AUTO_CAPTURE) == 0) + else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0; + + /* Capturing brackets must be counted so we can process escapes in a + Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need + an additional 3 bytes of memory per capturing bracket. */ + + if (capturing) { bracount++; if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3;