# HG changeset patch # User Markus Mützel # Date 1656959761 -7200 # Node ID 5cf18ef0377ccf457a90d135f091f17ea5afbaad # Parent 7060de0b45e51974a58c2630a2fab1acce1aa5b8 regexp: Check pattern length before accessing it (bug #62704). * liboctave/util/lo-regexp.cc (regexp::compile_internal): Check string length before accessing character at position. * libinterp/corefcn/regexp.cc (Fregexp): Add test. diff -r 7060de0b45e5 -r 5cf18ef0377c libinterp/corefcn/regexp.cc --- a/libinterp/corefcn/regexp.cc Wed Jun 29 19:07:19 2022 +0200 +++ b/libinterp/corefcn/regexp.cc Mon Jul 04 20:36:01 2022 +0200 @@ -912,6 +912,7 @@ ## segfault test %!assert (regexp ("abcde", "."), [1,2,3,4,5]) +%!assert <*62704> (regexpi('(', '\(?'), 1) ## Infinite loop test %!assert (isempty (regexp ("abcde", ""))) diff -r 7060de0b45e5 -r 5cf18ef0377c liboctave/util/lo-regexp.cc --- a/liboctave/util/lo-regexp.cc Wed Jun 29 19:07:19 2022 +0200 +++ b/liboctave/util/lo-regexp.cc Mon Jul 04 20:36:01 2022 +0200 @@ -83,9 +83,11 @@ while ((new_pos = m_pattern.find ("(?", pos)) != std::string::npos) { - if (m_pattern.at (new_pos + 2) == '<' - && !(m_pattern.at (new_pos + 3) == '=' - || m_pattern.at (new_pos + 3) == '!')) + if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<' + && ! (m_pattern.size () > new_pos + 3 + && (m_pattern.at (new_pos + 3) == '=' + || m_pattern.at (new_pos + 3) == '!'))) { // The syntax of named tokens in pcre is "(?P...)" while // we need a syntax "(?...)", so fix that here. Also an @@ -137,7 +139,8 @@ pos = tmp_pos; } - else if (m_pattern.at (new_pos + 2) == '<') + else if (m_pattern.size () > new_pos + 2 + && m_pattern.at (new_pos + 2) == '<') { // Find lookbehind operators of arbitrary length (ie like // "(?<=[a-z]*)") and replace with a maximum length operator