pcre2_match: improve match_ref() logic for robustness (#781)

carenas · web-flow · commit d4a3b9a44e2b · 2025-09-02T14:44:57.000+01:00
Add an assert to validate that match_ref is never called with
an `eptr` over the end of the subject, and use the correct return
value for non-partial matches of back references.
diff --git a/src/pcre2_match.c b/src/pcre2_match.c
@@ -387,6 +387,7 @@ if (offset >= Foffset_top || Fovector[offset] == PCRE2_UNSET)
 eptr = eptr_start = Feptr;
 p = mb->start_subject + Fovector[offset];
 length = Fovector[offset+1] - Fovector[offset];
+PCRE2_ASSERT(eptr <= mb->end_subject);
 
 if (caseless)
   {
@@ -406,7 +407,7 @@ if (caseless)
     bytes in UTF-8); a sequence of 3 of the former uses 6 bytes, as does a
     sequence of two of the latter. It is important, therefore, to check the
     length along the reference, not along the subject (earlier code did this
-    wrong). UCP without uses Unicode properties but without UTF encoding. */
+    wrong). UCP uses Unicode properties but without UTF encoding. */
 
     while (p < endptr)
       {
@@ -485,8 +486,8 @@ else
 
   else
     {
-    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */
-    if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
+    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length ||
+        memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
     eptr += length;
     }
   }
diff --git a/src/pcre2test.c b/src/pcre2test.c
@@ -7990,12 +7990,12 @@ Returns:    PR_OK     continue processing next line
 static int
 process_data(void)
 {
-PCRE2_SIZE len, ulen, arg_ulen;
+PCRE2_SIZE ulen, arg_ulen;
 uint32_t gmatched;
 uint32_t c, k;
 uint32_t g_notempty = 0;
 uint8_t *p, *pp, *start_rep;
-size_t needlen;
+size_t len, needlen;
 void *use_dat_context;
 BOOL utf;
 BOOL subject_literal;
@@ -8512,11 +8512,11 @@ the unused start of the buffer unaddressable. If we are using the POSIX
 interface, or testing zero-termination, we must include the terminating zero in
 the usable data. */
 
-c = code_unit_size * (((pat_patctl.control & CTL_POSIX) +
-                       (dat_datctl.control & CTL_ZERO_TERMINATE) != 0)? 1:0);
-pp = memmove(dbuffer + dbuffer_size - len - c, dbuffer, len + c);
+c = code_unit_size * ((((pat_patctl.control & CTL_POSIX) != 0) +
+                       ((dat_datctl.control & CTL_ZERO_TERMINATE) != 0))? 1 : 0);
+pp = memmove(dbuffer + dbuffer_size - (len + c), dbuffer, len + c);
 #ifdef SUPPORT_VALGRIND
-  VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + c));
+VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + c));
 #endif
 
 #if defined(EBCDIC) && !EBCDIC_IO

Original file line number	Diff line number	Diff line change
`@@ -387,6 +387,7 @@ if (offset >= Foffset_top \|\| Fovector[offset] == PCRE2_UNSET)`
`387`	`387`	`eptr = eptr_start = Feptr;`
`388`	`388`	`p = mb->start_subject + Fovector[offset];`
`389`	`389`	`length = Fovector[offset+1] - Fovector[offset];`
	`390`	`+PCRE2_ASSERT(eptr <= mb->end_subject);`
`390`	`391`
`391`	`392`	`if (caseless)`
`392`	`393`	`{`
`@@ -406,7 +407,7 @@ if (caseless)`
`406`	`407`	`bytes in UTF-8); a sequence of 3 of the former uses 6 bytes, as does a`
`407`	`408`	`sequence of two of the latter. It is important, therefore, to check the`
`408`	`409`	`length along the reference, not along the subject (earlier code did this`
`409`		`- wrong). UCP without uses Unicode properties but without UTF encoding. */`
	`410`	`+ wrong). UCP uses Unicode properties but without UTF encoding. */`
`410`	`411`
`411`	`412`	`while (p < endptr)`
`412`	`413`	`{`
`@@ -485,8 +486,8 @@ else`
`485`	`486`
`486`	`487`	`else`
`487`	`488`	`{`
`488`		`- if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */`
`489`		`- if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
	`489`	`+ if ((PCRE2_SIZE)(mb->end_subject - eptr) < length \|\|`
	`490`	`+ memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
`490`	`491`	`eptr += length;`
`491`	`492`	`}`
`492`	`493`	`}`