pcre2_match: improve match_ref() logic for robustness

carenas · carenas · commit 91cf4963c5f2 · 2025-08-27T09:42:27.000-07:00
A recently fixed bug in Scan Substring triggered problems in the
current logic that would result in crashes and the skipping of
safewards.

Add an assert to validate that this function is never called with
an `eptr` over the end of the subject and use the correct return
value for non partial matches of back references.
diff --git a/src/pcre2_match.c b/src/pcre2_match.c
@@ -387,6 +387,7 @@ if (offset >= Foffset_top || Fovector[offset] == PCRE2_UNSET)
 eptr = eptr_start = Feptr;
 p = mb->start_subject + Fovector[offset];
 length = Fovector[offset+1] - Fovector[offset];
+PCRE2_ASSERT(eptr <= mb->end_subject);
 
 if (caseless)
   {
@@ -485,8 +486,8 @@ else
 
   else
     {
-    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */
-    if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
+    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length ||
+        memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
     eptr += length;
     }
   }
diff --git a/src/pcre2test.c b/src/pcre2test.c
@@ -7956,12 +7956,12 @@ Returns:    PR_OK     continue processing next line
 static int
 process_data(void)
 {
-PCRE2_SIZE len, ulen, arg_ulen;
+PCRE2_SIZE ulen, arg_ulen;
 uint32_t gmatched;
 uint32_t c, k;
 uint32_t g_notempty = 0;
 uint8_t *p, *pp, *start_rep;
-size_t needlen;
+size_t len, needlen;
 void *use_dat_context;
 BOOL utf;
 BOOL subject_literal;
@@ -8478,11 +8478,11 @@ the unused start of the buffer unaddressable. If we are using the POSIX
 interface, or testing zero-termination, we must include the terminating zero in
 the usable data. */
 
-c = code_unit_size * (((pat_patctl.control & CTL_POSIX) +
-                       (dat_datctl.control & CTL_ZERO_TERMINATE) != 0)? 1:0);
-pp = memmove(dbuffer + dbuffer_size - len - c, dbuffer, len + c);
+c = code_unit_size * ((((pat_patctl.control & CTL_POSIX) != 0) +
+                       ((dat_datctl.control & CTL_ZERO_TERMINATE) != 0))? 1 : 0);
+pp = memmove(dbuffer + dbuffer_size - (len + c), dbuffer, len + c);
 #ifdef SUPPORT_VALGRIND
-  VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + c));
+VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + c));
 #endif
 
 #if defined(EBCDIC) && !EBCDIC_IO
diff --git a/testdata/testinput2 b/testdata/testinput2
@@ -6753,6 +6753,9 @@ a)"xI
     abxyz
     efgxyz
 
+/(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/
+    abbb
+
 # Duplicated capture references
 
 /(a)(b)(c)(d)(*scs:(4,3,1,2,2,1,3,3,4,4)x)/B
diff --git a/testdata/testoutput2 b/testdata/testoutput2
@@ -20258,6 +20258,13 @@ No match
  2: 
  3: 
 
+/(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/
+    abbb
+ 0: abb
+ 1: a
+ 2: b
+ 3: b
+
 # Duplicated capture references
 
 /(a)(b)(c)(d)(*scs:(4,3,1,2,2,1,3,3,4,4)x)/B

Original file line number	Diff line number	Diff line change
`@@ -387,6 +387,7 @@ if (offset >= Foffset_top \|\| Fovector[offset] == PCRE2_UNSET)`
`387`	`387`	`eptr = eptr_start = Feptr;`
`388`	`388`	`p = mb->start_subject + Fovector[offset];`
`389`	`389`	`length = Fovector[offset+1] - Fovector[offset];`
	`390`	`+PCRE2_ASSERT(eptr <= mb->end_subject);`
`390`	`391`
`391`	`392`	`if (caseless)`
`392`	`393`	`{`
`@@ -485,8 +486,8 @@ else`
`485`	`486`
`486`	`487`	`else`
`487`	`488`	`{`
`488`		`- if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */`
`489`		`- if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
	`489`	`+ if ((PCRE2_SIZE)(mb->end_subject - eptr) < length \|\|`
	`490`	`+ memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
`490`	`491`	`eptr += length;`
`491`	`492`	`}`
`492`	`493`	`}`