From 3db24e1e3c8c10bf892a8f48ff3d780fdd1f88a0 Mon Sep 17 00:00:00 2001
From: Karl Williamson <public@khwilliamson.com>
Date: Wed, 1 Jan 2014 09:59:20 -0700
Subject: regexec.c: Guard against malformed UTF-8 in [...]

The code that handles bracketed character classes assumed that the
string being matched against did not have the too-short malformation;
this could lead to reading beyond-the-end-of-buffer.  (It did check for
other malformations.)  This is solved by changing the function that
operates on bracketed character classes to take and use an extra
parameter, the actaul buffer end.
---
 proto.h | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'proto.h')

diff --git a/proto.h b/proto.h
index c4860450db..647d3574b5 100644
--- a/proto.h
+++ b/proto.h
@@ -7158,12 +7158,13 @@ STATIC U8*	S_reghopmaybe3(U8 *s, SSize_t off, const U8 *lim)
 #define PERL_ARGS_ASSERT_REGHOPMAYBE3	\
 	assert(s); assert(lim)
 
-STATIC bool	S_reginclass(pTHX_ regexp * const prog, const regnode * const n, const U8 * const p, bool const utf8_target)
+STATIC bool	S_reginclass(pTHX_ regexp * const prog, const regnode * const n, const U8 * const p, const U8 * const p_end, bool const utf8_target)
 			__attribute__warn_unused_result__
 			__attribute__nonnull__(pTHX_2)
-			__attribute__nonnull__(pTHX_3);
+			__attribute__nonnull__(pTHX_3)
+			__attribute__nonnull__(pTHX_4);
 #define PERL_ARGS_ASSERT_REGINCLASS	\
-	assert(n); assert(p)
+	assert(n); assert(p); assert(p_end)
 
 STATIC SSize_t	S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
 			__attribute__warn_unused_result__
-- 
cgit v1.2.1