head 1.3; access; symbols OPENPKG_E1_MP_HEAD:1.3 OPENPKG_E1_MP:1.3 OPENPKG_E1_MP_2_STABLE:1.3 OPENPKG_E1_FP:1.3 OPENPKG_2_STABLE_MP:1.3 OPENPKG_2_STABLE_20061018:1.3 OPENPKG_2_STABLE_20060622:1.3 OPENPKG_2_STABLE:1.3.0.2 OPENPKG_2_STABLE_BP:1.3 OPENPKG_2_5_RELEASE:1.2 OPENPKG_2_5_SOLID:1.2.0.2 OPENPKG_2_5_SOLID_BP:1.2 OPENPKG_2_4_RELEASE:1.1 OPENPKG_2_4_SOLID:1.1.0.18 OPENPKG_2_4_SOLID_BP:1.1 OPENPKG_CW_FP:1.1 OPENPKG_2_3_RELEASE:1.1 OPENPKG_2_3_SOLID:1.1.0.16 OPENPKG_2_3_SOLID_BP:1.1 OPENPKG_2_2_RELEASE:1.1 OPENPKG_2_2_SOLID:1.1.0.14 OPENPKG_2_2_SOLID_BP:1.1 OPENPKG_2_1_RELEASE:1.1 OPENPKG_2_1_SOLID:1.1.0.12 OPENPKG_2_1_SOLID_BP:1.1 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.10 OPENPKG_2_0_SOLID_BP:1.1 OPENPKG_1_3_RELEASE:1.1 OPENPKG_1_3_SOLID:1.1.0.8 OPENPKG_1_3_SOLID_BP:1.1 OPENPKG_1_STABLE_MP:1.1 OPENPKG_1_2_RELEASE:1.1 OPENPKG_1_2_SOLID:1.1.0.6 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.4 OPENPKG_1_STABLE_BP:1.1 OPENPKG_1_1_RELEASE:1.1 OPENPKG_1_1_SOLID:1.1.0.2 OPENPKG_1_1_SOLID_BP:1.1; locks; strict; comment @# @; 1.3 date 2005.10.21.06.28.42; author rse; state Exp; branches; next 1.2; 1.2 date 2005.09.05.14.48.02; author rse; state Exp; branches 1.2.2.1; next 1.1; 1.1 date 2002.07.04.08.41.01; author thl; state Exp; branches 1.1.16.1 1.1.18.1; next ; 1.2.2.1 date 2006.02.19.11.58.13; author rse; state Exp; branches; next ; commitid NE9bbzEtRq66Kbmr; 1.1.16.1 date 2005.09.05.14.54.30; author rse; state Exp; branches; next 1.1.16.2; 1.1.16.2 date 2006.02.19.12.00.39; author rse; state Exp; branches; next ; commitid dtsorbDZQuRVKbmr; 1.1.18.1 date 2005.09.05.14.51.38; author rse; state Exp; branches; next 1.1.18.2; 1.1.18.2 date 2006.02.19.11.59.31; author rse; state Exp; branches; next ; commitid lfCqj4QBhDWxKbmr; desc @@ 1.3 log @upgrading package: tin 1.6.2 -> 1.7.10 @ text @--- src/misc.c.orig Thu Jul 4 10:18:27 2002 +++ src/misc.c Thu Jul 4 10:14:21 2002 @@@@ -55,6 +55,9 @@@@ # include #endif /* MAC_OS_X */ +/* OpenPKG makes sure libiconv is present */ +#include "iconv.h" + /* * defines to control GNKSA-checks behaviour: * - ENFORCE_RFC1034 @ 1.2 log @apply Security Fix (CAN-2005-2491) @ text @a13 110 ------------------------------------------------------------------------------ Security Fix (CAN-2005-2491) Index: pcre/pcre.c --- pcre/pcre.c.orig 2003-08-10 15:27:36 +0200 +++ pcre/pcre.c 2005-09-05 16:43:29 +0200 @@@@ -908,7 +908,18 @@@@ int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid on its size. +Also, max must not be less than min. */ if (*p == '}') max = min; else { @@@@ -916,6 +927,11 @@@@ { max = 0; while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@@@ -3765,6 +3781,7 @@@@ BOOL class_utf8; #endif BOOL inescq = FALSE; +BOOL capturing; unsigned int brastackptr = 0; size_t size; uschar *code; @@@@ -4169,6 +4186,7 @@@@ case '(': branch_newextra = 0; bracket_length = 1 + LINK_SIZE; + capturing = FALSE; /* Handle special forms of bracket, which all start (? */ @@@@ -4256,6 +4274,9 @@@@ case 'P': ptr += 3; + + /* Handle the definition of a named subpattern */ + if (*ptr == '<') { const uschar *p; /* Don't amalgamate; some compilers */ @@@@ -4268,9 +4289,12 @@@@ } name_count++; if (ptr - p > max_name_size) max_name_size = (ptr - p); + capturing = TRUE; /* Named parentheses are always capturing */ break; } + /* Handle back references and recursive calls to named subpatterns */ + if (*ptr == '=' || *ptr == '>') { while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0); @@@@ -4445,18 +4469,24 @@@@ continue; } - /* If options were terminated by ':' control comes here. Fall through - to handle the group below. */ + /* If options were terminated by ':' control comes here. This is a + non-capturing group with an options change. There is nothing more that + needs to be done because "capturing" is already set FALSE by default; + we can just fall through. */ + } } - /* Extracting brackets must be counted so we can process escapes in a - Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to - need an additional 3 bytes of store per extracting bracket. However, if - PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we - must leave the count alone (it will aways be zero). */ + /* Ordinary parentheses, not followed by '?', are capturing unless + PCRE_NO_AUTO_CAPTURE is set. */ + + else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0; + + /* Capturing brackets must be counted so we can process escapes in a + Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need + an additional 3 bytes of memory per capturing bracket. */ - else if ((options & PCRE_NO_AUTO_CAPTURE) == 0) + if (capturing) { bracount++; if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3; @ 1.2.2.1 log @Security Fix @ text @a123 18 ------------------------------------------------------------------------------ Security Fix Index: src/mail.c --- src/mail.c 2005-12-02 12:07:36 +0100 +++ src/mail.c 2006-01-19 23:40:13 +0100 @@@@ -369,7 +369,7 @@@@ space = strlen(ptr) + 1; groupname = my_malloc(space); } else { - while (strlen(ptr) > space) { /* realloc needed? */ + while (space < strlen(ptr) + 1) { /* realloc needed? */ space <<= 1; /* double size */ groupname = my_realloc(groupname, space); } @ 1.1 log @tweak iconv @ text @d13 111 @ 1.1.16.1 log @apply Security Fix (CAN-2005-2491) @ text @a12 111 ------------------------------------------------------------------------------ Security Fix (CAN-2005-2491) Index: pcre/pcre.c --- pcre/pcre.c.orig 2003-08-10 15:27:36 +0200 +++ pcre/pcre.c 2005-09-05 16:43:29 +0200 @@@@ -908,7 +908,18 @@@@ int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid on its size. +Also, max must not be less than min. */ if (*p == '}') max = min; else { @@@@ -916,6 +927,11 @@@@ { max = 0; while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@@@ -3765,6 +3781,7 @@@@ BOOL class_utf8; #endif BOOL inescq = FALSE; +BOOL capturing; unsigned int brastackptr = 0; size_t size; uschar *code; @@@@ -4169,6 +4186,7 @@@@ case '(': branch_newextra = 0; bracket_length = 1 + LINK_SIZE; + capturing = FALSE; /* Handle special forms of bracket, which all start (? */ @@@@ -4256,6 +4274,9 @@@@ case 'P': ptr += 3; + + /* Handle the definition of a named subpattern */ + if (*ptr == '<') { const uschar *p; /* Don't amalgamate; some compilers */ @@@@ -4268,9 +4289,12 @@@@ } name_count++; if (ptr - p > max_name_size) max_name_size = (ptr - p); + capturing = TRUE; /* Named parentheses are always capturing */ break; } + /* Handle back references and recursive calls to named subpatterns */ + if (*ptr == '=' || *ptr == '>') { while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0); @@@@ -4445,18 +4469,24 @@@@ continue; } - /* If options were terminated by ':' control comes here. Fall through - to handle the group below. */ + /* If options were terminated by ':' control comes here. This is a + non-capturing group with an options change. There is nothing more that + needs to be done because "capturing" is already set FALSE by default; + we can just fall through. */ + } } - /* Extracting brackets must be counted so we can process escapes in a - Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to - need an additional 3 bytes of store per extracting bracket. However, if - PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we - must leave the count alone (it will aways be zero). */ + /* Ordinary parentheses, not followed by '?', are capturing unless + PCRE_NO_AUTO_CAPTURE is set. */ + + else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0; + + /* Capturing brackets must be counted so we can process escapes in a + Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need + an additional 3 bytes of memory per capturing bracket. */ - else if ((options & PCRE_NO_AUTO_CAPTURE) == 0) + if (capturing) { bracount++; if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3; @ 1.1.16.2 log @Security Fix @ text @a123 18 ------------------------------------------------------------------------------ Security Fix Index: src/mail.c --- src/mail.c 2005-12-02 12:07:36 +0100 +++ src/mail.c 2006-01-19 23:40:13 +0100 @@@@ -369,7 +369,7 @@@@ space = strlen(ptr) + 1; groupname = my_malloc(space); } else { - while (strlen(ptr) > space) { /* realloc needed? */ + while (space < strlen(ptr) + 1) { /* realloc needed? */ space <<= 1; /* double size */ groupname = my_realloc(groupname, space); } @ 1.1.18.1 log @apply Security Fix (CAN-2005-2491) @ text @a12 111 ------------------------------------------------------------------------------ Security Fix (CAN-2005-2491) Index: pcre/pcre.c --- pcre/pcre.c.orig 2003-08-10 15:27:36 +0200 +++ pcre/pcre.c 2005-09-05 16:43:29 +0200 @@@@ -908,7 +908,18 @@@@ int min = 0; int max = -1; +/* Read the minimum value and do a paranoid check: a negative value indicates +an integer overflow. */ + while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0'; +if (min < 0 || min > 65535) + { + *errorptr = ERR5; + return p; + } + +/* Read the maximum value if there is one, and again do a paranoid on its size. +Also, max must not be less than min. */ if (*p == '}') max = min; else { @@@@ -916,6 +927,11 @@@@ { max = 0; while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0'; + if (max < 0 || max > 65535) + { + *errorptr = ERR5; + return p; + } if (max < min) { *errorptr = ERR4; @@@@ -3765,6 +3781,7 @@@@ BOOL class_utf8; #endif BOOL inescq = FALSE; +BOOL capturing; unsigned int brastackptr = 0; size_t size; uschar *code; @@@@ -4169,6 +4186,7 @@@@ case '(': branch_newextra = 0; bracket_length = 1 + LINK_SIZE; + capturing = FALSE; /* Handle special forms of bracket, which all start (? */ @@@@ -4256,6 +4274,9 @@@@ case 'P': ptr += 3; + + /* Handle the definition of a named subpattern */ + if (*ptr == '<') { const uschar *p; /* Don't amalgamate; some compilers */ @@@@ -4268,9 +4289,12 @@@@ } name_count++; if (ptr - p > max_name_size) max_name_size = (ptr - p); + capturing = TRUE; /* Named parentheses are always capturing */ break; } + /* Handle back references and recursive calls to named subpatterns */ + if (*ptr == '=' || *ptr == '>') { while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0); @@@@ -4445,18 +4469,24 @@@@ continue; } - /* If options were terminated by ':' control comes here. Fall through - to handle the group below. */ + /* If options were terminated by ':' control comes here. This is a + non-capturing group with an options change. There is nothing more that + needs to be done because "capturing" is already set FALSE by default; + we can just fall through. */ + } } - /* Extracting brackets must be counted so we can process escapes in a - Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to - need an additional 3 bytes of store per extracting bracket. However, if - PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we - must leave the count alone (it will aways be zero). */ + /* Ordinary parentheses, not followed by '?', are capturing unless + PCRE_NO_AUTO_CAPTURE is set. */ + + else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0; + + /* Capturing brackets must be counted so we can process escapes in a + Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need + an additional 3 bytes of memory per capturing bracket. */ - else if ((options & PCRE_NO_AUTO_CAPTURE) == 0) + if (capturing) { bracount++; if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3; @ 1.1.18.2 log @Security Fix @ text @a123 18 ------------------------------------------------------------------------------ Security Fix Index: src/mail.c --- src/mail.c 2005-12-02 12:07:36 +0100 +++ src/mail.c 2006-01-19 23:40:13 +0100 @@@@ -369,7 +369,7 @@@@ space = strlen(ptr) + 1; groupname = my_malloc(space); } else { - while (strlen(ptr) > space) { /* realloc needed? */ + while (space < strlen(ptr) + 1) { /* realloc needed? */ space <<= 1; /* double size */ groupname = my_realloc(groupname, space); } @