Fix OOB error in substitute with start offset longer than length.

This commit is contained in:
Philip.Hazel 2016-12-09 18:19:38 +00:00
parent bcad1aa4f6
commit 7914fa82a9
4 changed files with 17 additions and 1 deletions

View File

@ -208,6 +208,9 @@ the current pattern or a previous one and a wide character was matched.
PCRE2_SUBSTITUTE_EXTENDED was set caused a segmentation fault (NULL
dereference).
33. If the starting offset was specified as greater than the subject length in
a call to pcre2_substitute() an out-of-bounds memory reference could occur.
Version 10.22 29-July-2016
--------------------------

View File

@ -289,6 +289,12 @@ options &= ~SUBSTITUTE_OPTIONS;
/* Copy up to the start offset */
if (start_offset > length)
{
match_data->leftchar = 0;
rc = PCRE2_ERROR_BADOFFSET;
goto EXIT;
}
CHECKMEMCPY(subject, start_offset);
/* Loop for global substituting. */

3
testdata/testinput2 vendored
View File

@ -4928,4 +4928,7 @@ a)"xI
/(\x0e00\000000\xc)/replace=\P,substitute_extended
\x0e00\000000\xc
//replace=0
\=offset=7
# End of testinput2

View File

@ -15382,6 +15382,10 @@ No match
\x0e00\000000\xc
Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string
//replace=0
\=offset=7
Failed: error -33: bad offset value
# End of testinput2
Error -63: PCRE2_ERROR_BADDATA (unknown error number)
Error -62: bad serialized data