Revision: 405
http://www.exim.org/viewvc/pcre2?view=rev&revision=405
Author: ph10
Date: 2015-11-01 16:36:20 +0000 (Sun, 01 Nov 2015)
Log Message:
-----------
Fix off-by-one bug in pcre2_substitute().
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_substitute.c
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-11-01 16:28:13 UTC (rev 404)
+++ code/trunk/ChangeLog 2015-11-01 16:36:20 UTC (rev 405)
@@ -245,7 +245,10 @@
It now works with one or two digits, and gives a compile time error if more are
given.
+71. In pcre2_substitute() there was the possibility of reading one code unit
+beyond the end of the replacement string.
+
Version 10.20 30-June-2015
--------------------------
Modified: code/trunk/src/pcre2_substitute.c
===================================================================
--- code/trunk/src/pcre2_substitute.c 2015-11-01 16:28:13 UTC (rev 404)
+++ code/trunk/src/pcre2_substitute.c 2015-11-01 16:36:20 UTC (rev 405)
@@ -427,8 +427,8 @@
{
name[n++] = next;
if (n > 32) goto BAD;
- if (ptr >= repend) break;
- next = *(++ptr);
+ if (++ptr >= repend) break;
+ next = *ptr;
}
if (n == 0) goto BAD;
name[n] = 0;