From 7914fa82a972e7e42569bcf7711881a5d44fe2a2 Mon Sep 17 00:00:00 2001
From: "Philip.Hazel" <Philip.Hazel@gmail.com>
Date: Fri, 9 Dec 2016 18:19:38 +0000
Subject: [PATCH] Fix OOB error in substitute with start offset longer than
 length.

---
 ChangeLog              | 3 +++
 src/pcre2_substitute.c | 8 +++++++-
 testdata/testinput2    | 3 +++
 testdata/testoutput2   | 4 ++++
 4 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 074d376..385f1b3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -208,6 +208,9 @@ the current pattern or a previous one and a wide character was matched.
 PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL 
 dereference).
 
+33. If the starting offset was specified as greater than the subject length in 
+a call to pcre2_substitute() an out-of-bounds memory reference could occur.
+
 
 Version 10.22 29-July-2016
 --------------------------
diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
index d832da8..8da951f 100644
--- a/src/pcre2_substitute.c
+++ b/src/pcre2_substitute.c
@@ -130,7 +130,7 @@ for (; ptr < ptrend; ptr++)
     ptr += 1;  /* Must point after \ */
     erc = PRIV(check_escape)(&ptr, ptrend, &ch, &errorcode,
       code->overall_options, FALSE, NULL);
-    ptr -= 1;  /* Back to last code unit of escape */ 
+    ptr -= 1;  /* Back to last code unit of escape */
     if (errorcode != 0)
       {
       rc = errorcode;
@@ -289,6 +289,12 @@ options &= ~SUBSTITUTE_OPTIONS;
 
 /* Copy up to the start offset */
 
+if (start_offset > length)
+  {
+  match_data->leftchar = 0;
+  rc = PCRE2_ERROR_BADOFFSET;
+  goto EXIT;
+  }
 CHECKMEMCPY(subject, start_offset);
 
 /* Loop for global substituting. */
diff --git a/testdata/testinput2 b/testdata/testinput2
index 3e08d4a..998b2cf 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4928,4 +4928,7 @@ a)"xI
 /(\x0e00\000000\xc)/replace=\P,substitute_extended
 \x0e00\000000\xc
 
+//replace=0
+\=offset=7
+
 # End of testinput2 
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index 2476d48..2c35960 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -15382,6 +15382,10 @@ No match
 \x0e00\000000\xc
 Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string
 
+//replace=0
+\=offset=7
+Failed: error -33: bad offset value
+
 # End of testinput2 
 Error -63: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data