Avoid pointer overflow for unset captures in pcre2_substring_list_get(), though

it could never have caused a problem.
This commit is contained in:
Philip.Hazel 2018-01-12 18:48:27 +00:00
parent a6237da13e
commit 9d197bfe76
2 changed files with 13 additions and 2 deletions

View File

@ -119,6 +119,12 @@ pcre2_dfa_match(). This was a missing optimization rather than a bug.
pointer argument rather than a code unit value. This should not have affected
the generated code.
28. The JIT compiler has been updated.
29. Avoid pointer overflow for unset captures in pcre2_substring_list_get().
This could not actually cause a crash because it was always used in a memcpy()
call with zero length.
Version 10.30 14-August-2017
----------------------------

View File

@ -7,7 +7,7 @@ and semantics are as close as possible to those of the Perl 5 language.
Written by Philip Hazel
Original API code Copyright (c) 1997-2012 University of Cambridge
New API code Copyright (c) 2016 University of Cambridge
New API code Copyright (c) 2016-2018 University of Cambridge
-----------------------------------------------------------------------------
Redistribution and use in source and binary forms, with or without
@ -414,7 +414,12 @@ else
for (i = 0; i < count2; i += 2)
{
size = (ovector[i+1] > ovector[i])? (ovector[i+1] - ovector[i]) : 0;
memcpy(sp, match_data->subject + ovector[i], CU2BYTES(size));
/* Size == 0 includes the case when the capture is unset. Avoid adding
PCRE2_UNSET to match_data->subject because it overflows, even though with
zero size calling memcpy() is harmless. */
if (size != 0) memcpy(sp, match_data->subject + ovector[i], CU2BYTES(size));
*listp++ = sp;
if (lensp != NULL) *lensp++ = size;
sp += size;