diff options
author | David Mitchell <davem@iabyn.com> | 2013-01-03 14:17:25 +0000 |
---|---|---|
committer | David Mitchell <davem@iabyn.com> | 2013-01-03 14:17:25 +0000 |
commit | fe20acee329b0a11c6645b7a86021bd34488c94e (patch) | |
tree | 09ea4f5283fc07cd843b96e0dc96484732ef64ff /regcomp.c | |
parent | 67b16946469d4388672de15e6209c0f7f2d100bb (diff) | |
download | perl-fe20acee329b0a11c6645b7a86021bd34488c94e.tar.gz |
S_has_runtime_code(): avoid buffer overrun
This function looks for '(?{' style strings in a pattern. If the last char
in the pattern was '(', it could read a couple of bytes off the end of
the pattern. This is harmless from a logic and security viewpoint since
false positives are ok; but I'm still fixing it for correctness's sake.
Diffstat (limited to 'regcomp.c')
-rw-r--r-- | regcomp.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -4851,8 +4851,9 @@ S_has_runtime_code(pTHX_ RExC_state_t * const pRExC_state, OP *expr, } /* TODO ideally should handle [..], (#..), /#.../x to reduce false * positives here */ - if (pat[s] == '(' && pat[s+1] == '?' && - (pat[s+2] == '{' || (pat[s+2] == '?' && pat[s+3] == '{')) + if (pat[s] == '(' && s+2 <= plen && pat[s+1] == '?' && + (pat[s+2] == '{' + || (s + 2 <= plen && pat[s+2] == '?' && pat[s+3] == '{')) ) return 1; } |