S_has_runtime_code(): avoid buffer overrun

This function looks for '(?{' style strings in a pattern. If the last char in the pattern was '(', it could read a couple of bytes off the end of the pattern. This is harmless from a logic and security viewpoint since false positives are ok; but I'm still fixing it for correctness's sake.
author: David Mitchell <davem@iabyn.com> 2013-01-03 14:17:25 +0000
committer: David Mitchell <davem@iabyn.com> 2013-01-03 14:17:25 +0000
commit: fe20acee329b0a11c6645b7a86021bd34488c94e (patch)
tree: 09ea4f5283fc07cd843b96e0dc96484732ef64ff /regcomp.c
parent: 67b16946469d4388672de15e6209c0f7f2d100bb (diff)
download: perl-fe20acee329b0a11c6645b7a86021bd34488c94e.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/regcomp.c b/regcomp.c
index a6090ed0e7..d2535f0f0a 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -4851,8 +4851,9 @@ S_has_runtime_code(pTHX_ RExC_state_t * const pRExC_state, OP *expr,
 	}
 	/* TODO ideally should handle [..], (#..), /#.../x to reduce false
 	 * positives here */
-	if (pat[s] == '(' && pat[s+1] == '?' &&
-	    (pat[s+2] == '{' || (pat[s+2] == '?' && pat[s+3] == '{'))
+	if (pat[s] == '(' && s+2 <= plen && pat[s+1] == '?' &&
+	    (pat[s+2] == '{'
+                || (s + 2 <= plen && pat[s+2] == '?' && pat[s+3] == '{'))
 	)
 	    return 1;
     }
author	David Mitchell <davem@iabyn.com>	2013-01-03 14:17:25 +0000
committer	David Mitchell <davem@iabyn.com>	2013-01-03 14:17:25 +0000
commit	fe20acee329b0a11c6645b7a86021bd34488c94e (patch)
tree	09ea4f5283fc07cd843b96e0dc96484732ef64ff /regcomp.c
parent	67b16946469d4388672de15e6209c0f7f2d100bb (diff)
download	perl-fe20acee329b0a11c6645b7a86021bd34488c94e.tar.gz