pcre2test: harden subject overread testing

carenas · carenas · commit 83806f6acf43 · 2025-08-25T07:45:12.000-07:00
Mark the character after the subject as not accessible if there is no
NUL termination to better catch buffer overreads.

Add an assert and test to avoid regressions on a recent fix, and
correct the return value for non partial matches of back references.
diff --git a/src/pcre2_match.c b/src/pcre2_match.c
@@ -387,6 +387,7 @@ if (offset >= Foffset_top || Fovector[offset] == PCRE2_UNSET)
 eptr = eptr_start = Feptr;
 p = mb->start_subject + Fovector[offset];
 length = Fovector[offset+1] - Fovector[offset];
+PCRE2_ASSERT(eptr <= mb->end_subject);
 
 if (caseless)
   {
@@ -485,8 +486,8 @@ else
 
   else
     {
-    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */
-    if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
+    if ((PCRE2_SIZE)(mb->end_subject - eptr) < length ||
+        memcmp(p, eptr, CU2BYTES(length)) != 0) return -1;  /* No match */
     eptr += length;
     }
   }
diff --git a/src/pcre2test.c b/src/pcre2test.c
@@ -8478,11 +8478,13 @@ the unused start of the buffer unaddressable. If we are using the POSIX
 interface, or testing zero-termination, we must include the terminating zero in
 the usable data. */
 
-c = code_unit_size * (((pat_patctl.control & CTL_POSIX) +
-                       (dat_datctl.control & CTL_ZERO_TERMINATE) != 0)? 1:0);
-pp = memmove(dbuffer + dbuffer_size - len - c, dbuffer, len + c);
+c = code_unit_size * ((((pat_patctl.control & CTL_POSIX) != 0) +
+                       ((dat_datctl.control & CTL_ZERO_TERMINATE) != 0))? 1 : 0);
+pp = memmove(dbuffer + dbuffer_size - len - code_unit_size, dbuffer, len + c);
 #ifdef SUPPORT_VALGRIND
-  VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + c));
+  VALGRIND_MAKE_MEM_NOACCESS(dbuffer, dbuffer_size - (len + code_unit_size));
+  if (c == 0)
+    VALGRIND_MAKE_MEM_NOACCESS(dbuffer + dbuffer_size - code_unit_size, code_unit_size);
 #endif
 
 #if defined(EBCDIC) && !EBCDIC_IO
diff --git a/testdata/testinput2 b/testdata/testinput2
@@ -6756,6 +6756,9 @@ a)"xI
 /(a)(*scs:(1)a(*ACCEPT))bbb/
     abbb
 
+/(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/
+    abbb
+
 # Duplicated capture references
 
 /(a)(b)(c)(d)(*scs:(4,3,1,2,2,1,3,3,4,4)x)/B
diff --git a/testdata/testoutput2 b/testdata/testoutput2
@@ -20263,6 +20263,13 @@ No match
  0: abbb
  1: a
 
+/(a)(b+)(*scs:(1)a(*ACCEPT))(\2)/
+    abbb
+ 0: abb
+ 1: a
+ 2: b
+ 3: b
+
 # Duplicated capture references
 
 /(a)(b)(c)(d)(*scs:(4,3,1,2,2,1,3,3,4,4)x)/B

Original file line number	Diff line number	Diff line change
`@@ -387,6 +387,7 @@ if (offset >= Foffset_top \|\| Fovector[offset] == PCRE2_UNSET)`
`387`	`387`	`eptr = eptr_start = Feptr;`
`388`	`388`	`p = mb->start_subject + Fovector[offset];`
`389`	`389`	`length = Fovector[offset+1] - Fovector[offset];`
	`390`	`+PCRE2_ASSERT(eptr <= mb->end_subject);`
`390`	`391`
`391`	`392`	`if (caseless)`
`392`	`393`	`{`
`@@ -485,8 +486,8 @@ else`
`485`	`486`
`486`	`487`	`else`
`487`	`488`	`{`
`488`		`- if ((PCRE2_SIZE)(mb->end_subject - eptr) < length) return 1; /* Partial */`
`489`		`- if (memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
	`489`	`+ if ((PCRE2_SIZE)(mb->end_subject - eptr) < length \|\|`
	`490`	`+ memcmp(p, eptr, CU2BYTES(length)) != 0) return -1; /* No match */`
`490`	`491`	`eptr += length;`
`491`	`492`	`}`
`492`	`493`	`}`