From bf95d5f034221fbc49904c30774f4ae269d4df68 Mon Sep 17 00:00:00 2001
From: Rainer Gerhards <rgerhards@adiscon.com>
Date: Fri, 25 Oct 2013 14:20:36 +0200
Subject: bugfix: buffer overrun if re_extract function was called for submatch
 50

Thanks to Pavel Levshin for reporting the problem and its location.
---
 ChangeLog              | 2 ++
 grammar/rainerscript.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index b52d25aa..ef29644e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,7 @@
 ---------------------------------------------------------------------------
 Version 7.4.6  [v7.4-stable] 2013-11-??
+- bugfix: buffer overrun if re_extract function was called for submatch 50
+  Thanks to Pavel Levshin for reporting the problem and its location.
 - bugfix: memleak in re_extract() function
   Thanks to Pavel Levshin for reporting this problem.
 - bugfix: memory leak in omhiredis
diff --git a/grammar/rainerscript.c b/grammar/rainerscript.c
index 9cacb4ae..b86f7c30 100644
--- a/grammar/rainerscript.c
+++ b/grammar/rainerscript.c
@@ -1259,7 +1259,7 @@ doFunc_re_extract(struct cnffunc *func, struct var *ret, void* usrptr)
 	str = (char*) var2CString(&r[0], &bMustFree);
 	matchnbr = (short) var2Number(&r[2], NULL);
 	submatchnbr = (size_t) var2Number(&r[3], NULL);
-	if(submatchnbr > sizeof(pmatch)/sizeof(regmatch_t)) {
+	if(submatchnbr >= sizeof(pmatch)/sizeof(regmatch_t)) {
 		DBGPRINTF("re_extract() submatch %d is too large\n", submatchnbr);
 		bHadNoMatch = 1;
 		goto finalize_it;
-- 
cgit v1.2.3