diff options
author | David Mitchell <davem@iabyn.com> | 2012-10-19 10:14:56 +0100 |
---|---|---|
committer | David Mitchell <davem@iabyn.com> | 2012-10-19 10:50:22 +0100 |
commit | 1443c94c5785506d57ff756925baa65702a6cf98 (patch) | |
tree | 6f8f9a4b884c359689d27193af1bc5e12b864152 /regexec.c | |
parent | e6ca698ca4309632ab09826ad47492d2934e10bd (diff) | |
download | perl-1443c94c5785506d57ff756925baa65702a6cf98.tar.gz |
regmatch(): fix out bounds array access
The code for EXACTF and similar tests that
UCHARAT(s) != fold_array[nextchr]
but doesn't check first that nextchr != NEXTCHR_EOS (-10), so it can
access the byte 10 bytes before the start of one of the PL_fold_latin1 or
similar arrays. Although undesirable, it's harmless, as the worst it can
achieve is a false positive match of the first char of the EXACTF string,
which will then still fail on a full compare of the string.
Diffstat (limited to 'regexec.c')
-rw-r--r-- | regexec.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -4206,8 +4206,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog) } /* Neither the target nor the pattern are utf8 */ - if (UCHARAT(s) != nextchr && - UCHARAT(s) != fold_array[nextchr]) + if (UCHARAT(s) != nextchr + && !NEXTCHR_IS_EOS + && UCHARAT(s) != fold_array[nextchr]) { sayNO; } |