Mercurial > jwe > octave
diff liboctave/util/lo-regexp.cc @ 31119:5cf18ef0377c stable
regexp: Check pattern length before accessing it (bug #62704).
* liboctave/util/lo-regexp.cc (regexp::compile_internal): Check string length
before accessing character at position.
* libinterp/corefcn/regexp.cc (Fregexp): Add test.
author | Markus Mützel <markus.muetzel@gmx.de> |
---|---|
date | Mon, 04 Jul 2022 20:36:01 +0200 |
parents | 796f54d4ddbf |
children | 7d3bda173b63 |
line wrap: on
line diff
--- a/liboctave/util/lo-regexp.cc Wed Jun 29 19:07:19 2022 +0200 +++ b/liboctave/util/lo-regexp.cc Mon Jul 04 20:36:01 2022 +0200 @@ -83,9 +83,11 @@ while ((new_pos = m_pattern.find ("(?", pos)) != std::string::npos) { - if (m_pattern.at (new_pos + 2) == '<' - && !(m_pattern.at (new_pos + 3) == '=' - || m_pattern.at (new_pos + 3) == '!')) + if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<' + && ! (m_pattern.size () > new_pos + 3 + && (m_pattern.at (new_pos + 3) == '=' + || m_pattern.at (new_pos + 3) == '!'))) { // The syntax of named tokens in pcre is "(?P<name>...)" while // we need a syntax "(?<name>...)", so fix that here. Also an @@ -137,7 +139,8 @@ pos = tmp_pos; } - else if (m_pattern.at (new_pos + 2) == '<') + else if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<') { // Find lookbehind operators of arbitrary length (ie like // "(?<=[a-z]*)") and replace with a maximum length operator