From b89a448d8d069c778337517a21006e1747b11704 Mon Sep 17 00:00:00 2001
From: "Philip.Hazel" <Philip.Hazel@gmail.com>
Date: Tue, 4 Aug 2015 09:13:11 +0000
Subject: [PATCH] Add missing integer overflow checks.

---
 ChangeLog            |  4 ++++
 src/pcre2_compile.c  | 13 ++++++++++++-
 testdata/testinput2  |  4 ++++
 testdata/testoutput2 |  6 ++++++
 4 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 890f6df..37913a3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -98,6 +98,10 @@ minimum matching length gave a wrong result, which could cause incorrect "no
 match" errors. For such patterns, a minimum matching length cannot at present 
 be computed.
 
+26. Added a check for integer overflow in conditions (?(<digits>) and 
+(?(R<digits>). This omission was discovered by Karl Skomski with the LLVM
+fuzzer.
+
 
 Version 10.20 30-June-2015
 --------------------------
diff --git a/src/pcre2_compile.c b/src/pcre2_compile.c
index d27a5bd..7076633 100644
--- a/src/pcre2_compile.c
+++ b/src/pcre2_compile.c
@@ -5954,6 +5954,12 @@ for (;; ptr++)
           {
           while (IS_DIGIT(*ptr))
             {
+            if (recno > INT_MAX / 10 - 1)  /* Integer overflow */
+              {
+              while (IS_DIGIT(*ptr)) ptr++;
+              *errorcodeptr = ERR61;
+              goto FAILED;   
+              }   
             recno = recno * 10 + (int)(*ptr - CHAR_0);
             ptr++;
             }
@@ -6089,9 +6095,14 @@ for (;; ptr++)
             {
             if (!IS_DIGIT(name[i]))
               {
-              *errorcodeptr = ERR15;
+              *errorcodeptr = ERR15;        /* Non-existent subpattern */
               goto FAILED;
               }
+            if (recno > INT_MAX / 10 - 1)   /* Integer overflow */
+              {
+              *errorcodeptr = ERR61;
+              goto FAILED;   
+              }     
             recno = recno * 10 + name[i] - CHAR_0;
             }
           if (recno == 0) recno = RREF_ANY;
diff --git a/testdata/testinput2 b/testdata/testinput2
index 0c7ea4f..6e32910 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4408,4 +4408,8 @@ a random value. /Ix
 /.*?a(*SKIP)b/
     aab
 
+/(?(8000000000/
+
+/((?(R8000000000)))/
+
 # End of testinput2 
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 51ddcec..689a709 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14661,4 +14661,10 @@ No match
     aab
  0: ab
 
+/(?(8000000000/
+Failed: error 161 at offset 13: number is too big
+
+/((?(R8000000000)))/
+Failed: error 161 at offset 16: number is too big
+
 # End of testinput2