From: David Mitchell <davem@iabyn.com>
Date: Thu, 3 Jan 2013 14:17:25 +0000 (+0000)
Subject: S_has_runtime_code(): avoid buffer overrun
X-Git-Tag: upstream/5.20.0~4301
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=fe20acee329b0a11c6645b7a86021bd34488c94e;p=platform%2Fupstream%2Fperl.git

S_has_runtime_code(): avoid buffer overrun

This function looks for '(?{' style strings in a pattern. If the last char
in the pattern was '(', it could read a couple of bytes off the end of
the pattern. This is harmless from a logic and security viewpoint since
false positives are ok; but I'm still fixing it for correctness's sake.
---

diff --git a/regcomp.c b/regcomp.c
index a6090ed..d2535f0 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -4851,8 +4851,9 @@ S_has_runtime_code(pTHX_ RExC_state_t * const pRExC_state, OP *expr,
 	}
 	/* TODO ideally should handle [..], (#..), /#.../x to reduce false
 	 * positives here */
-	if (pat[s] == '(' && pat[s+1] == '?' &&
-	    (pat[s+2] == '{' || (pat[s+2] == '?' && pat[s+3] == '{'))
+	if (pat[s] == '(' && s+2 <= plen && pat[s+1] == '?' &&
+	    (pat[s+2] == '{'
+                || (s + 2 <= plen && pat[s+2] == '?' && pat[s+3] == '{'))
 	)
 	    return 1;
     }