Fix forward reference by name to duplicate group number bug.

ChangeLog

@@ -119,6 +119,10 @@ bug was discovered by the LLVM fuzzer.
 another group caused a buffer overflow. For example: /(?J)(?'d'(?'d'\g{d}))/.
 This bug was discovered by the LLVM fuzzer.
 
+30. A forward reference by name to a group whose number is the same as the
+current group, for example in this pattern: /(?|(\k'Pm')|(?'Pm'))/, caused a
+buffer overflow at compile time. This bug was discovered by the LLVM fuzzer.
+
 
 Version 10.10 06-March-2015
 ---------------------------

src/pcre2_compile.c

@@ -5984,6 +5984,14 @@ for (;; ptr++)
           not be set at the point of reference. */
 
           *lengthptr += IMM2_SIZE;
+          
+          /* If this is a forward reference and we are within a (?|...) group,
+          the reference may end up as the number of a group which we are 
+          currently inside, that is, it could be a recursive reference. In the 
+          real compile this will be picked up and the reference wrapped with 
+          OP_ONCE to make it atomic, so we must space in case this occurs. */ 
+          
+          if (recno == 0) *lengthptr += 2 + 2*LINK_SIZE;
           }
 
         /* In the real compile, search the name table. We check the name

testdata/testinput1

@@ -5724,4 +5724,7 @@ name)/mark
 /(?1)()((((((\1++))\x85)+)|))/
     \x85\x85
 
+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+
 # End of testinput1 

testdata/testoutput1

@@ -9458,4 +9458,9 @@ No match
  6: 
  7: 
 
+"(?|(\k'Pm')|(?'Pm'))"
+    abcd
+ 0: 
+ 1: 
+
 # End of testinput1