diff options
| -rw-r--r-- | ChangeLog | 2 | ||||
| -rw-r--r-- | grammar/rainerscript.c | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -1,5 +1,7 @@ --------------------------------------------------------------------------- Version 7.4.6 [v7.4-stable] 2013-11-?? +- bugfix: buffer overrun if re_extract function was called for submatch 50 + Thanks to Pavel Levshin for reporting the problem and its location. - bugfix: memleak in re_extract() function Thanks to Pavel Levshin for reporting this problem. - bugfix: memory leak in omhiredis diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c index 9cacb4ae..b86f7c30 100644 --- a/grammar/rainerscript.c +++ b/grammar/rainerscript.c @@ -1259,7 +1259,7 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr) str = (char*) var2CString(&r[0], &bMustFree); matchnbr = (short) var2Number(&r[2], NULL); submatchnbr = (size_t) var2Number(&r[3], NULL); - if(submatchnbr > sizeof(pmatch)/sizeof(regmatch_t)) { + if(submatchnbr >= sizeof(pmatch)/sizeof(regmatch_t)) { DBGPRINTF("re_extract() submatch %d is too large\n", submatchnbr); bHadNoMatch = 1; goto finalize_it; |