diff -Naur squidGuard-1.2.0/src/sgDiv.c squidGuard-1.2.0-patch/src/sgDiv.c

--- squidGuard-1.2.0/src/sgDiv.c	Tue May 15 05:01:37 2001

+++ squidGuard-1.2.0-patch/src/sgDiv.c	Tue Aug  6 14:39:55 2002

@@ -500,13 +500,13 @@

 #endif

 {

   struct sgRegExp *re;

-  regmatch_t pm;

+  regmatch_t pm[10];

   static char newstring[MAX_BUF];

   char *result = NULL, *p;

   int substlen;

   *newstring='\0';

   for(re = regexp; re != NULL; re = re->next){

-    if (regexec (re->compiled, pattern, 1, &pm, 0) != 0){

+    if (regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, 0) != 0){

       result = NULL;

     } else {

       substlen = strlen(re->substitute);

@@ -516,14 +516,65 @@

 	*newstring = '\0';

       p = newstring;

       do {

-	if((p - newstring)+ pm.rm_so  >= MAX_BUF)

+	if((p - newstring)+ pm[0].rm_so  >= MAX_BUF)

 	  break;

-	p = strncat(newstring,pattern,pm.rm_so);

-	if((p - newstring)+ substlen  >= MAX_BUF)

-	  break;

-	p = strcat(newstring,re->substitute);	

-	pattern = pattern + pm.rm_eo;

-      } while(regexec (re->compiled, pattern, 1, &pm, REG_NOTBOL)== 0 &&

+      p = strncat(newstring,pattern,pm[0].rm_so);

+      {

+          char *p_cur;

+          char *p_next;

+

+          for (p_next = p_cur = re->substitute;

+              p_next < (re->substitute + substlen);

+              p_next++)

+          {

+              if (*p_next == '\\')

+              {

+                  if (p_cur < p_next)

+                  {

+                      if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)

+                          goto err;

+                      p = strncat(newstring, p_cur, p_next - p_cur);

+                  }

+                  p_next++;

+                  if (p_next < (re->substitute + substlen)

+                      && '0' <= *p_next && *p_next <= '9')

+                  {

+                      int i = *p_next - '0';

+                      if ((p - newstring) + (pm[i].rm_eo - pm[i].rm_so) >= MAX_BUF)

+                          goto err;

+                      p = strncat(newstring, pattern + pm[i].rm_so, pm[i].rm_eo - pm[i].rm_so);

+                  }

+                  else

+                  {

+                      if ((p - newstring + 1) >= MAX_BUF)

+                          goto err;

+                      p = strncat(newstring, p_next, 1);

+                  }

+                  p_cur = p_next + 1;

+              }

+              else if (*p_next == '&')

+              {

+                  if (p_cur < p_next)

+                  {

+                      if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)

+                          goto err;

+                      p = strncat(newstring, p_cur, p_next - p_cur);

+                  }

+                  if (((p - newstring) + (pm[0].rm_eo - pm[0].rm_so)) >= MAX_BUF)

+                      goto err;

+                  p = strncat(newstring, pattern + pm[0].rm_so, pm[0].rm_eo - pm[0].rm_so);

+                  p_cur = p_next + 1;

+              }

+          }

+          if (p_cur < p_next)

+          {

+              if (((p - newstring) + (p_next - p_cur)) >= MAX_BUF)

+                  goto err;

+              p = strncat(newstring, p_cur, p_next - p_cur);

+          }

+      }

+      pattern = pattern + pm[0].rm_eo;

+     } while(regexec (re->compiled, pattern, sizeof(pm) / sizeof(pm[0]), pm, REG_NOTBOL)== 0 &&

 	      re->global);

       if((p - newstring)+ strlen(pattern)  <= MAX_BUF)

 	p = strcat(newstring,pattern);

@@ -531,6 +582,7 @@

       break;

     }

   }

+err:

   return result;

 }