Fix subject buffer overread in JIT. Found by Yunho Kim.

git-svn-id: svn://vcs.exim.org/pcre2/code/trunk@1011 6239d852-aaf2-0410-a92c-79f79f948069

3 files changed, 8 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index a8a207e..e3e4297 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -9,6 +9,9 @@ Version 10.33-RC1 15-September-2018
 ovector that shouldn't be changed, in particular after substitute and failed or 
 partial matches.
 
+2. Fix subject buffer overread in JIT when UTF is disabled and \X or \R has
+a greater than 1 fixed quantifier. This issue was found by Yunho Kim.
+
 
 Version 10.32 10-September-2018
 -------------------------------
diff --git a/src/pcre2_jit_compile.c b/src/pcre2_jit_compile.c
index dc8cb93..c1d9a44 100644
--- a/src/pcre2_jit_compile.c
+++ b/src/pcre2_jit_compile.c
@@ -11268,7 +11268,7 @@ if (exact > 1)
 #ifdef SUPPORT_UNICODE
       && !common->utf
 #endif
-      )
+      && type != OP_ANYNL && type != OP_EXTUNI)
     {
     OP2(SLJIT_ADD, TMP1, 0, STR_PTR, 0, SLJIT_IMM, IN_UCHARS(exact));
     add_jump(compiler, &backtrack->topbacktracks, CMP(SLJIT_GREATER, TMP1, 0, STR_END, 0));
diff --git a/src/pcre2_jit_test.c b/src/pcre2_jit_test.c
index d927a36..d5f4a96 100644
--- a/src/pcre2_jit_test.c
+++ b/src/pcre2_jit_test.c
@@ -1948,6 +1948,10 @@ static struct invalid_utf8_regression_test_case invalid_utf8_regression_test_cas
 	{ PCRE2_UTF, CI, 0, 0, 0, 4, 8, { "#\xc7\x85#", NULL }, "\x80\x80#\xc7#\xc7\x85#" },
 	{ PCRE2_UTF, CI, 0, 0, 0, 7, 11, { "#\xc7\x85#", NULL }, "\x80\x80#\xc7\x80\x80\x80#\xc7\x85#" },
 
+	/* These two are not invalid UTF tests, but this infrastructure fits better for them. */
+	{ 0, PCRE2_JIT_COMPLETE, 0, 0, 1, -1, -1, { "\\X{2}", NULL }, "\r\n\n" },
+	{ 0, PCRE2_JIT_COMPLETE, 0, 0, 1, -1, -1, { "\\R{2}", NULL }, "\r\n\n" },
+
 	{ 0, 0, 0, 0, 0, 0, 0, { NULL, NULL }, NULL }
 };