Store NULL in match_data->subject when subject was NULL.

IsaacOscar · NWilson · web-flow · commit a35c278b30fd · 2025-09-29T11:32:14.000Z
Previously, match_data->subject would store a pointer to a stack allocated string, but that pointer would be dangling as soon as pcre2_match/pcre2_dfa_match returned. These pointers were than memcpy'd (with a size of 0), which is technically undefined behaviour, despite ot causing any observable problems, even with valgrind. (cherry picked from commit d714d98) Co-authored-by: Nicholas Wilson <nicholas@nicholaswilson.me.uk>
diff --git a/src/pcre2_dfa_match.c b/src/pcre2_dfa_match.c
@@ -3347,6 +3347,7 @@ int was_zero_terminated = 0;
 const pcre2_real_code *re = (const pcre2_real_code *)code;
 
 PCRE2_UCHAR null_str[1] = { 0xcd };
+PCRE2_SPTR original_subject = subject;
 PCRE2_SPTR start_match;
 PCRE2_SPTR end_subject;
 PCRE2_SPTR bumpalong_limit;
@@ -4059,7 +4060,8 @@ for (;;)
       }
     else
       {
-      if (rc >= 0 || rc == PCRE2_ERROR_PARTIAL) match_data->subject = subject;
+      if (rc >= 0 || rc == PCRE2_ERROR_PARTIAL)
+        match_data->subject = original_subject;
       }
     goto EXIT;
     }
diff --git a/src/pcre2_match.c b/src/pcre2_match.c
@@ -6969,6 +6969,7 @@ PCRE2_UCHAR req_cu = 0;
 PCRE2_UCHAR req_cu2 = 0;
 
 PCRE2_UCHAR null_str[1] = { 0xcd };
+PCRE2_SPTR original_subject = subject;
 PCRE2_SPTR bumpalong_limit;
 PCRE2_SPTR end_subject;
 PCRE2_SPTR true_end_subject;
@@ -7184,7 +7185,6 @@ if (use_jit)
     match_data, mcontext);
   if (rc != PCRE2_ERROR_JIT_BADOPTION)
     {
-    match_data->subject_length = length;
     if (rc >= 0 && (options & PCRE2_COPY_MATCHED_SUBJECT) != 0)
       {
       length = CU2BYTES(length + was_zero_terminated);
@@ -7194,6 +7194,12 @@ if (use_jit)
       memcpy((void *)match_data->subject, subject, length);
       match_data->flags |= PCRE2_MD_COPIED_SUBJECT;
       }
+    else
+      {
+      /* When pcre2_jit_match sets the subject, it doesn't know what the
+      original passed-in pointer was. */
+      if (match_data->subject != NULL) match_data->subject = original_subject;
+      }
     return rc;
     }
   }
@@ -8148,7 +8154,7 @@ if (rc == MATCH_MATCH)
     memcpy((void *)match_data->subject, subject, length);
     match_data->flags |= PCRE2_MD_COPIED_SUBJECT;
     }
-  else match_data->subject = subject;
+  else match_data->subject = original_subject;
 
   return match_data->rc;
   }
@@ -8170,7 +8176,7 @@ PCRE2_ERROR_PARTIAL. */
 
 else if (match_partial != NULL)
   {
-  match_data->subject = subject;
+  match_data->subject = original_subject;
   match_data->subject_length = length;
   match_data->start_offset = start_offset;
   match_data->ovector[0] = match_partial - subject;
diff --git a/src/pcre2_substring.c b/src/pcre2_substring.c
@@ -122,7 +122,7 @@ PCRE2_SIZE size;
 rc = pcre2_substring_length_bynumber(match_data, stringnumber, &size);
 if (rc < 0) return rc;
 if (size + 1 > *sizeptr) return PCRE2_ERROR_NOMEMORY;
-memcpy(buffer, match_data->subject + match_data->ovector[stringnumber*2],
+if (size != 0) memcpy(buffer, match_data->subject + match_data->ovector[stringnumber*2],
   CU2BYTES(size));
 buffer[size] = 0;
 *sizeptr = size;
@@ -214,7 +214,7 @@ yield = PRIV(memctl_malloc)(sizeof(pcre2_memctl) +
   (size + 1)*PCRE2_CODE_UNIT_WIDTH, (pcre2_memctl *)match_data);
 if (yield == NULL) return PCRE2_ERROR_NOMEMORY;
 yield = (PCRE2_UCHAR *)(((char *)yield) + sizeof(pcre2_memctl));
-memcpy(yield, match_data->subject + match_data->ovector[stringnumber*2],
+if (size != 0) memcpy(yield, match_data->subject + match_data->ovector[stringnumber*2],
   CU2BYTES(size));
 yield[size] = 0;
 *stringptr = yield;
diff --git a/testdata/testinput2 b/testdata/testinput2
@@ -8113,4 +8113,8 @@ a)"xI
     foo\=copy_matched_subject
     foo\=global,copy_matched_subject
 
+# Tests for reading matches from NULL subjects
+/(.?)/
+    \=null_subject,copy=0,copy=1,get=0,get=1,getall
+
 # End of testinput2
diff --git a/testdata/testinput6 b/testdata/testinput6
@@ -5251,4 +5251,8 @@
 /^(?1(2))(?(DEFINE)(a(.)b))/
    axb
 
+# Tests for reading matches from NULL subjects
+/(.?)/
+    \=null_subject,copy=0,get=0,getall
+
 # End of testinput6
diff --git a/testdata/testoutput2 b/testdata/testoutput2
@@ -23241,6 +23241,18 @@ Failed: error -51: NULL argument passed with non-zero length
     foo\=global,copy_matched_subject
  1: bar
 
+# Tests for reading matches from NULL subjects
+/(.?)/
+    \=null_subject,copy=0,copy=1,get=0,get=1,getall
+ 0: 
+ 1: 
+ 0C  (0)
+ 1C  (0)
+ 0G  (0)
+ 1G  (0)
+ 0L 
+ 1L 
+
 # End of testinput2
 Error -80: PCRE2_ERROR_BADDATA (unknown error number)
 Error -62: bad serialized data
diff --git a/testdata/testoutput6 b/testdata/testoutput6
@@ -8218,4 +8218,12 @@ No match
    axb
 Failed: error -42: pattern contains an item that is not supported for DFA matching
 
+# Tests for reading matches from NULL subjects
+/(.?)/
+    \=null_subject,copy=0,get=0,getall
+ 0: 
+ 0C  (0)
+ 0G  (0)
+ 0L 
+
 # End of testinput6

Original file line number	Diff line number	Diff line change
`@@ -3347,6 +3347,7 @@ int was_zero_terminated = 0;`
`3347`	`3347`	`const pcre2_real_code re = (const pcre2_real_code )code;`
`3348`	`3348`
`3349`	`3349`	`PCRE2_UCHAR null_str[1] = { 0xcd };`
	`3350`	`+PCRE2_SPTR original_subject = subject;`
`3350`	`3351`	`PCRE2_SPTR start_match;`
`3351`	`3352`	`PCRE2_SPTR end_subject;`
`3352`	`3353`	`PCRE2_SPTR bumpalong_limit;`
`@@ -4059,7 +4060,8 @@ for (;;)`
`4059`	`4060`	`}`
`4060`	`4061`	`else`
`4061`	`4062`	`{`
`4062`		`- if (rc >= 0 \|\| rc == PCRE2_ERROR_PARTIAL) match_data->subject = subject;`
	`4063`	`+ if (rc >= 0 \|\| rc == PCRE2_ERROR_PARTIAL)`
	`4064`	`+ match_data->subject = original_subject;`
`4063`	`4065`	`}`
`4064`	`4066`	`goto EXIT;`
`4065`	`4067`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6969,6 +6969,7 @@ PCRE2_UCHAR req_cu = 0;`
`6969`	`6969`	`PCRE2_UCHAR req_cu2 = 0;`
`6970`	`6970`
`6971`	`6971`	`PCRE2_UCHAR null_str[1] = { 0xcd };`
	`6972`	`+PCRE2_SPTR original_subject = subject;`
`6972`	`6973`	`PCRE2_SPTR bumpalong_limit;`
`6973`	`6974`	`PCRE2_SPTR end_subject;`
`6974`	`6975`	`PCRE2_SPTR true_end_subject;`
`@@ -7184,7 +7185,6 @@ if (use_jit)`
`7184`	`7185`	`match_data, mcontext);`
`7185`	`7186`	`if (rc != PCRE2_ERROR_JIT_BADOPTION)`
`7186`	`7187`	`{`
`7187`		`- match_data->subject_length = length;`
`7188`	`7188`	`if (rc >= 0 && (options & PCRE2_COPY_MATCHED_SUBJECT) != 0)`
`7189`	`7189`	`{`
`7190`	`7190`	`length = CU2BYTES(length + was_zero_terminated);`
`@@ -7194,6 +7194,12 @@ if (use_jit)`
`7194`	`7194`	`memcpy((void *)match_data->subject, subject, length);`
`7195`	`7195`	`match_data->flags \|= PCRE2_MD_COPIED_SUBJECT;`
`7196`	`7196`	`}`
	`7197`	`+ else`
	`7198`	`+ {`
	`7199`	`+ /* When pcre2_jit_match sets the subject, it doesn't know what the`
	`7200`	`+ original passed-in pointer was. */`
	`7201`	`+ if (match_data->subject != NULL) match_data->subject = original_subject;`
	`7202`	`+ }`
`7197`	`7203`	`return rc;`
`7198`	`7204`	`}`
`7199`	`7205`	`}`
`@@ -8148,7 +8154,7 @@ if (rc == MATCH_MATCH)`
`8148`	`8154`	`memcpy((void *)match_data->subject, subject, length);`
`8149`	`8155`	`match_data->flags \|= PCRE2_MD_COPIED_SUBJECT;`
`8150`	`8156`	`}`
`8151`		`- else match_data->subject = subject;`
	`8157`	`+ else match_data->subject = original_subject;`
`8152`	`8158`
`8153`	`8159`	`return match_data->rc;`
`8154`	`8160`	`}`
`@@ -8170,7 +8176,7 @@ PCRE2_ERROR_PARTIAL. */`
`8170`	`8176`
`8171`	`8177`	`else if (match_partial != NULL)`
`8172`	`8178`	`{`
`8173`		`- match_data->subject = subject;`
	`8179`	`+ match_data->subject = original_subject;`
`8174`	`8180`	`match_data->subject_length = length;`
`8175`	`8181`	`match_data->start_offset = start_offset;`
`8176`	`8182`	`match_data->ovector[0] = match_partial - subject;`