S_has_runtime_code(): avoid buffer overrun

This function looks for '(?{' style strings in a pattern. If the last char
in the pattern was '(', it could read a couple of bytes off the end of
the pattern. This is harmless from a logic and security viewpoint since
false positives are ok; but I'm still fixing it for correctness's sake.

diff --git a/regcomp.c b/regcomp.c
index a6090ed..d2535f0 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -4851,8 +4851,9 @@ S_has_runtime_code(pTHX_ RExC_state_t * const pRExC_state, OP *expr,
        }
        /* TODO ideally should handle [..], (#..), /#.../x to reduce false
         * positives here */
-       if (pat[s] == '(' && pat[s+1] == '?' &&
-           (pat[s+2] == '{' || (pat[s+2] == '?' && pat[s+3] == '{'))
+       if (pat[s] == '(' && s+2 <= plen && pat[s+1] == '?' &&
+           (pat[s+2] == '{'
+                || (s + 2 <= plen && pat[s+2] == '?' && pat[s+3] == '{'))
        )
            return 1;
     }