From fe20acee329b0a11c6645b7a86021bd34488c94e Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Thu, 3 Jan 2013 14:17:25 +0000
Subject: S_has_runtime_code(): avoid buffer overrun

This function looks for '(?{' style strings in a pattern. If the last char
in the pattern was '(', it could read a couple of bytes off the end of
the pattern. This is harmless from a logic and security viewpoint since
false positives are ok; but I'm still fixing it for correctness's sake.
---
 regcomp.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'regcomp.c')

diff --git a/regcomp.c b/regcomp.c
index a6090ed0e7..d2535f0f0a 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -4851,8 +4851,9 @@ S_has_runtime_code(pTHX_ RExC_state_t * const pRExC_state, OP *expr,
 	}
 	/* TODO ideally should handle [..], (#..), /#.../x to reduce false
 	 * positives here */
-	if (pat[s] == '(' && pat[s+1] == '?' &&
-	    (pat[s+2] == '{' || (pat[s+2] == '?' && pat[s+3] == '{'))
+	if (pat[s] == '(' && s+2 <= plen && pat[s+1] == '?' &&
+	    (pat[s+2] == '{'
+                || (s + 2 <= plen && pat[s+2] == '?' && pat[s+3] == '{'))
 	)
 	    return 1;
     }
-- 
cgit v1.2.1