From a0d04b9fa3e57d49d82763b3cd39334deebad9a7 Mon Sep 17 00:00:00 2001
From: "Philip.Hazel" <Philip.Hazel@gmail.com>
Date: Sun, 1 Nov 2015 16:36:20 +0000
Subject: [PATCH] Fix off-by-one bug in pcre2_substitute().

---
 ChangeLog              | 3 +++
 src/pcre2_substitute.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index f58c3c7..f1fed5e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -245,6 +245,9 @@ digit was given after the decimal point, or if more than two digits were given.
 It now works with one or two digits, and gives a compile time error if more are 
 given.
 
+71. In pcre2_substitute() there was the possibility of reading one code unit 
+beyond the end of the replacement string.
+
 
 Version 10.20 30-June-2015
 --------------------------
diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
index f5b4473..1c60381 100644
--- a/src/pcre2_substitute.c
+++ b/src/pcre2_substitute.c
@@ -427,8 +427,8 @@ do
           {
           name[n++] = next;
           if (n > 32) goto BAD;
-          if (ptr >= repend) break;
-          next = *(++ptr);
+          if (++ptr >= repend) break;
+          next = *ptr;
           }
         if (n == 0) goto BAD;
         name[n] = 0;