From 284d42fa7e838c647750defeaba71e5c7015db1f Mon Sep 17 00:00:00 2001
From: "Philip.Hazel" <Philip.Hazel@gmail.com>
Date: Fri, 30 Oct 2015 18:25:19 +0000
Subject: [PATCH] Avoid the need for an integer overflow check in
 pcre2_substitute() by adding a check for a number greater than the largest
 capturing group.

---
 ChangeLog              | 4 ++++
 src/pcre2_substitute.c | 9 +++++++++
 testdata/testinput2    | 3 +++
 testdata/testoutput2   | 4 ++++
 4 files changed, 20 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 7127feb..1d0f960 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -236,6 +236,10 @@ string was zero-terminated.
 68. In pcre2_substitute() in UTF mode, PCRE2_NO_UTF_CHECK can be set for the 
 second and subsequent calls to pcre2_match().
 
+69. There was no check for integer overflow for a replacement group number in 
+pcre2_substitute(). An added check for a number greater than the largest group 
+number in the pattern means this is not now needed.
+
 
 Version 10.20 30-June-2015
 --------------------------
diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
index 0c1979e..f5b4473 100644
--- a/src/pcre2_substitute.c
+++ b/src/pcre2_substitute.c
@@ -409,6 +409,15 @@ do
           next = *ptr;
           if (next < CHAR_0 || next > CHAR_9) break;
           group = group * 10 + next - CHAR_0;
+          
+          /* A check for a number greater than the hightest captured group
+          is sufficient here; no need for a separate overflow check. */
+            
+          if (group > code->top_bracket)
+            {
+            rc = PCRE2_ERROR_NOSUBSTRING;
+            goto PTREXIT;   
+            }
           }
         }
       else
diff --git a/testdata/testinput2 b/testdata/testinput2
index 4add971..9885ff8 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4587,4 +4587,7 @@ B)x/alt_verbnames,mark
 
 /((p(?'K/no_auto_capture
 
+/abc/replace=A$3123456789Z
+    abc
+
 # End of testinput2 
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 312b358..5040fbc 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -14674,4 +14674,8 @@ Failed: error 142 at offset 7: syntax error in subpattern name (missing terminat
 /((p(?'K/no_auto_capture
 Failed: error 142 at offset 7: syntax error in subpattern name (missing terminator)
 
+/abc/replace=A$3123456789Z
+    abc
+Failed: error -49 at offset 3 in replacement: unknown substring
+
 # End of testinput2