Avoid pointer overflow for unset captures in pcre2_substring_list_get(), though

it could never have caused a problem.

ChangeLog

@@ -119,6 +119,12 @@ pcre2_dfa_match(). This was a missing optimization rather than a bug.
 pointer argument rather than a code unit value. This should not have affected
 the generated code.
 
+28. The JIT compiler has been updated.
+
+29. Avoid pointer overflow for unset captures in pcre2_substring_list_get().
+This could not actually cause a crash because it was always used in a memcpy()
+call with zero length.
+
 
 Version 10.30 14-August-2017
 ----------------------------

src/pcre2_substring.c

@@ -7,7 +7,7 @@ and semantics are as close as possible to those of the Perl 5 language.
 
                        Written by Philip Hazel
      Original API code Copyright (c) 1997-2012 University of Cambridge
-         New API code Copyright (c) 2016 University of Cambridge
+          New API code Copyright (c) 2016-2018 University of Cambridge
 
 -----------------------------------------------------------------------------
 Redistribution and use in source and binary forms, with or without
@@ -414,7 +414,12 @@ else
 for (i = 0; i < count2; i += 2)
   {
   size = (ovector[i+1] > ovector[i])? (ovector[i+1] - ovector[i]) : 0;
-  memcpy(sp, match_data->subject + ovector[i], CU2BYTES(size));
+
+  /* Size == 0 includes the case when the capture is unset. Avoid adding
+  PCRE2_UNSET to match_data->subject because it overflows, even though with
+  zero size calling memcpy() is harmless. */
+
+  if (size != 0) memcpy(sp, match_data->subject + ovector[i], CU2BYTES(size));
   *listp++ = sp;
   if (lensp != NULL) *lensp++ = size;
   sp += size;