Author: ph10 Date: To: Ralf Junker CC: pcre-dev@exim.org Subject: Re: [pcre-dev] pcre2_substring_length_bynumber(): Negative
underflow for (?=ab\K)
On Fri, 12 Dec 2014, Ralf Junker wrote:
> The pattern
>
> (?=ab\K)
>
> is documented that it may return a start of the match greater than the end of
> the match. This is true, for example, for the subject
>
> ab
>
> which yields 2 for start and 0 for end.
>
> Using pcre2_substring_length_bynumber() to determine the length of this
> pattern leads to a negative underflow and yields 4294967294 on 32-bit systems,
> 18446744073709551614 on 64-bit.
>
> All pcre2_substring_...() functions involving pattern length calculation seem
> effected by this underflow.
>
> In particular, pcre2_substring_get_...() allocate memory based on this
> incorrect computation, which can easily lead to out of memory situations.
Oh how embarrassing; that's another nasty bug you have found. If we ever
meet, I clearly owe you lots of beer.
