Index: src/proto.h
--- src/proto.h.orig	2003-07-04 01:00:18 +0200
+++ src/proto.h	2004-12-15 10:09:08 +0100
@@ -94,7 +94,9 @@
 char *PushString(struct Push *, const char *);
 char *PushNString(struct Push *, const char *, int);
 
+#ifndef HAVE_STRCASESTR
 char *strcasestr (char *, const char *);
+#endif
 char *strsav(const char *);
 char *strreplace(char *, char *);
 void strcpymax(char *, const char *, int);

------------------------------------------------------------------------------

Security Fix (CAN-2005-2491)

Index: src/pcre/pcre.c
--- src/pcre/pcre.c.orig	2003-07-03 20:04:06 +0200
+++ src/pcre/pcre.c	2005-09-05 16:29:25 +0200
@@ -908,7 +908,18 @@
 int min = 0;
 int max = -1;
 
+/* Read the minimum value and do a paranoid check: a negative value indicates
+an integer overflow. */
+
 while ((digitab[*p] & ctype_digit) != 0) min = min * 10 + *p++ - '0';
+if (min < 0 || min > 65535)
+  {
+  *errorptr = ERR5;
+  return p;
+  }
+
+/* Read the maximum value if there is one, and again do a paranoid on its size.
+Also, max must not be less than min. */
 
 if (*p == '}') max = min; else
   {
@@ -916,6 +927,11 @@
     {
     max = 0;
     while((digitab[*p] & ctype_digit) != 0) max = max * 10 + *p++ - '0';
+    if (max < 0 || max > 65535)
+      {
+      *errorptr = ERR5;
+      return p;
+      }
     if (max < min)
       {
       *errorptr = ERR4;
@@ -3765,6 +3781,7 @@
 BOOL class_utf8;
 #endif
 BOOL inescq = FALSE;
+BOOL capturing;
 unsigned int brastackptr = 0;
 size_t size;
 uschar *code;
@@ -4169,6 +4186,7 @@
     case '(':
     branch_newextra = 0;
     bracket_length = 1 + LINK_SIZE;
+    capturing = FALSE;
 
     /* Handle special forms of bracket, which all start (? */
 
@@ -4256,6 +4274,9 @@
 
         case 'P':
         ptr += 3;
+
+        /* Handle the definition of a named subpattern */
+
         if (*ptr == '<')
           {
           const uschar *p;    /* Don't amalgamate; some compilers */
@@ -4268,9 +4289,12 @@
             }
           name_count++;
           if (ptr - p > max_name_size) max_name_size = (ptr - p);
+          capturing = TRUE;   /* Named parentheses are always capturing */
           break;
           }
 
+        /* Handle back references and recursive calls to named subpatterns */
+
         if (*ptr == '=' || *ptr == '>')
           {
           while ((compile_block.ctypes[*(++ptr)] & ctype_word) != 0);
@@ -4445,18 +4469,24 @@
           continue;
           }
 
-        /* If options were terminated by ':' control comes here. Fall through
-        to handle the group below. */
+        /* If options were terminated by ':' control comes here. This is a
+        non-capturing group with an options change. There is nothing more that
+        needs to be done because "capturing" is already set FALSE by default;
+        we can just fall through. */
+
         }
       }
 
-    /* Extracting brackets must be counted so we can process escapes in a
-    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to
-    need an additional 3 bytes of store per extracting bracket. However, if
-    PCRE_NO_AUTO)CAPTURE is set, unadorned brackets become non-capturing, so we
-    must leave the count alone (it will aways be zero). */
+    /* Ordinary parentheses, not followed by '?', are capturing unless
+    PCRE_NO_AUTO_CAPTURE is set. */
+
+    else capturing = (options & PCRE_NO_AUTO_CAPTURE) == 0;
+
+    /* Capturing brackets must be counted so we can process escapes in a
+    Perlish way. If the number exceeds EXTRACT_BASIC_MAX we are going to need
+    an additional 3 bytes of memory per capturing bracket. */
 
-    else if ((options & PCRE_NO_AUTO_CAPTURE) == 0)
+    if (capturing)
       {
       bracount++;
       if (bracount > EXTRACT_BASIC_MAX) bracket_length += 3;