Revision: 406
http://www.exim.org/viewvc/pcre2?view=rev&revision=406
Author: ph10
Date: 2015-11-01 16:54:17 +0000 (Sun, 01 Nov 2015)
Log Message:
-----------
Fix dodgy code for UTF-32 checking.
Modified Paths:
--------------
code/trunk/ChangeLog
code/trunk/src/pcre2_match.c
Modified: code/trunk/ChangeLog
===================================================================
--- code/trunk/ChangeLog 2015-11-01 16:36:20 UTC (rev 405)
+++ code/trunk/ChangeLog 2015-11-01 16:54:17 UTC (rev 406)
@@ -248,7 +248,11 @@
71. In pcre2_substitute() there was the possibility of reading one code unit
beyond the end of the replacement string.
+72. The code for checking a subject's UTF-32 validity for a pattern with a
+lookbehind involved an out-of-bounds pointer, which could potentially cause
+trouble in some environments.
+
Version 10.20 30-June-2015
--------------------------
Modified: code/trunk/src/pcre2_match.c
===================================================================
--- code/trunk/src/pcre2_match.c 2015-11-01 16:36:20 UTC (rev 405)
+++ code/trunk/src/pcre2_match.c 2015-11-01 16:54:17 UTC (rev 406)
@@ -6566,9 +6566,15 @@
#endif /* PCRE2_CODE_UNIT_WIDTH == 8 */
check_subject--;
}
-#else /* In the 32-bit library, one code unit equals one character. */
- check_subject -= re->max_lookbehind;
- if (check_subject < subject) check_subject = subject;
+#else
+ /* In the 32-bit library, one code unit equals one character. However,
+ we cannot just subtract the lookbehind and then compare pointers, because
+ a very large lookbehind could create an invalid pointer. */
+
+ if (start_offset >= re->max_lookbehind)
+ check_subject -= re->max_lookbehind;
+ else
+ check_subject = subject;
#endif /* PCRE2_CODE_UNIT_WIDTH != 32 */
}