regcomp.c: Don't read beyond input

This code was assuming that there were several more bytes in the input
stream, when there may not be.  This was discovered by valgrind.

diff --git a/regcomp.c b/regcomp.c
index 99668c3..f8d77ef 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -11190,8 +11190,11 @@ S_nextchar(pTHX_ RExC_state_t *pRExC_state)
     PERL_ARGS_ASSERT_NEXTCHAR;
 
     for (;;) {
-       if (*RExC_parse == '(' && RExC_parse[1] == '?' &&
-               RExC_parse[2] == '#') {
+       if (RExC_end - RExC_parse >= 3
+           && *RExC_parse == '('
+           && RExC_parse[1] == '?'
+           && RExC_parse[2] == '#')
+       {
            while (*RExC_parse != ')') {
                if (RExC_parse == RExC_end)
                    FAIL("Sequence (?#... not terminated");