regmatch(): fix out bounds array access

The code for EXACTF and similar tests that UCHARAT(s) != fold_array[nextchr] but doesn't check first that nextchr != NEXTCHR_EOS (-10), so it can access the byte 10 bytes before the start of one of the PL_fold_latin1 or similar arrays. Although undesirable, it's harmless, as the worst it can achieve is a false positive match of the first char of the EXACTF string, which will then still fail on a full compare of the string.
author: David Mitchell <davem@iabyn.com> 2012-10-19 10:14:56 +0100
committer: David Mitchell <davem@iabyn.com> 2012-10-19 10:50:22 +0100
commit: 1443c94c5785506d57ff756925baa65702a6cf98 (patch)
tree: 6f8f9a4b884c359689d27193af1bc5e12b864152 /regexec.c
parent: e6ca698ca4309632ab09826ad47492d2934e10bd (diff)
download: perl-1443c94c5785506d57ff756925baa65702a6cf98.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/regexec.c b/regexec.c
index 0ee1c5abd4..8ee8a8f26b 100644
--- a/regexec.c
+++ b/regexec.c
@@ -4206,8 +4206,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
 	    }
 
 	    /* Neither the target nor the pattern are utf8 */
-	    if (UCHARAT(s) != nextchr &&
-		UCHARAT(s) != fold_array[nextchr])
+	    if (UCHARAT(s) != nextchr
+                && !NEXTCHR_IS_EOS
+		&& UCHARAT(s) != fold_array[nextchr])
 	    {
 		sayNO;
 	    }
author	David Mitchell <davem@iabyn.com>	2012-10-19 10:14:56 +0100
committer	David Mitchell <davem@iabyn.com>	2012-10-19 10:50:22 +0100
commit	1443c94c5785506d57ff756925baa65702a6cf98 (patch)
tree	6f8f9a4b884c359689d27193af1bc5e12b864152 /regexec.c
parent	e6ca698ca4309632ab09826ad47492d2934e10bd (diff)
download	perl-1443c94c5785506d57ff756925baa65702a6cf98.tar.gz