From 3f4e0af094ac3d6facb7b8e581ba4bdf47d7d45d Mon Sep 17 00:00:00 2001 From: ph10 Date: Fri, 9 Dec 2016 18:19:38 +0000 Subject: [PATCH] Fix OOB error in substitute with start offset longer than length. MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Petr Pisar: Port to 10.22: commit a27071aeed86de6febe845edb6c7376faa2176ba Author: ph10 Date: Fri Dec 9 18:19:38 2016 +0000 Fix OOB error in substitute with start offset longer than length. git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@616 6239d852-aaf2-0410-a92c-79f79f948069 Signed-off-by: Petr Písař --- src/pcre2_substitute.c | 6 ++++++ testdata/testinput2 | 3 +++ testdata/testoutput2 | 4 ++++ 3 files changed, 13 insertions(+) diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c index 0bf781e..2467d16 100644 --- a/src/pcre2_substitute.c +++ b/src/pcre2_substitute.c @@ -287,6 +287,12 @@ options &= ~SUBSTITUTE_OPTIONS; /* Copy up to the start offset */ +if (start_offset > length) + { + match_data->leftchar = 0; + rc = PCRE2_ERROR_BADOFFSET; + goto EXIT; + } CHECKMEMCPY(subject, start_offset); /* Loop for global substituting. */ diff --git a/testdata/testinput2 b/testdata/testinput2 index a7c1ab3..e2865b2 100644 --- a/testdata/testinput2 +++ b/testdata/testinput2 @@ -4831,4 +4831,7 @@ a)"xI /(\x0e00\000000\xc)/replace=\P,substitute_extended \x0e00\000000\xc +//replace=0 +\=offset=7 + # End of testinput2 diff --git a/testdata/testoutput2 b/testdata/testoutput2 index 9c478bb..29de949 100644 --- a/testdata/testoutput2 +++ b/testdata/testoutput2 @@ -15235,6 +15235,10 @@ No match \x0e00\000000\xc Failed: error -57 at offset 2 in replacement: bad escape sequence in replacement string +//replace=0 +\=offset=7 +Failed: error -33: bad offset value + # End of testinput2 Error -63: PCRE2_ERROR_BADDATA (unknown error number) Error -62: bad serialized data -- 2.7.4