Fix OOB error in substitute with start offset longer than length.

ChangeLog

@@ -208,6 +208,9 @@ the current pattern or a previous one and a wide character was matched.
 PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL 
 dereference).
 
+33. If the starting offset was specified as greater than the subject length in 
+a call to pcre2_substitute() an out-of-bounds memory reference could occur.
+
 
 Version 10.22 29-July-2016
 --------------------------

src/pcre2_substitute.c

@@ -130,7 +130,7 @@ for (; ptr < ptrend; ptr++)
     ptr += 1;  /* Must point after \ */
     erc = PRIV(check_escape)(&ptr, ptrend, &ch, &errorcode,
       code->overall_options, FALSE, NULL);
-    ptr -= 1;  /* Back to last code unit of escape */ 
+    ptr -= 1;  /* Back to last code unit of escape */
     if (errorcode != 0)
       {
       rc = errorcode;
@@ -289,6 +289,12 @@ options &= ~SUBSTITUTE_OPTIONS;
 
 /* Copy up to the start offset */
 
+if (start_offset > length)
+  {
+  match_data->leftchar = 0;
+  rc = PCRE2_ERROR_BADOFFSET;
+  goto EXIT;
+  }
 CHECKMEMCPY(subject, start_offset);
 
 /* Loop for global substituting. */

testdata/testinput2

@@ -4928,4 +4928,7 @@ a)"xI
 /(\x0e00\000000\xc)/replace=\P,substitute_extended
 \x0e00\000000\xc
 
+//replace=0
+\=offset=7
+
 # End of testinput2 

testdata/testoutput2

@@ -15382,6 +15382,10 @@ No match
 \x0e00\000000\xc
 Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string
 
+//replace=0
+\=offset=7
+Failed: error -33: bad offset value
+
 # End of testinput2 
 Error -63: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data