# HG changeset patch # User Stephen J. Turnbull # Date 1258468899 -32400 # Node ID b5f21bb366841f8a0ccb1e6f378ea6dc3d30cd0e # Parent 294a86d29f996e8c0812f41795c99cdfeb8638db Fix crash in regex.c (closes issue630). diff -r 294a86d29f99 -r b5f21bb36684 src/ChangeLog --- a/src/ChangeLog Mon Nov 16 12:00:38 2009 +0900 +++ b/src/ChangeLog Tue Nov 17 23:41:39 2009 +0900 @@ -1,3 +1,13 @@ +2009-11-17 Stephen J. Turnbull + + Fix issue630. + + * regex.c (regex_compile): + Sync treatment of normal_char to GNU Emacs 22.1. + Thanks to Aidan Kehoe for the diagnosis and suggestion. + (print_partial_compiled_pattern): + Avoid buffer overrun in case of /exactn/0. + 2009-11-15 Aidan Kehoe * mule-ccl.c (CCL_CALL_FOR_MAP_INSTRUCTION): Assert that we always diff -r 294a86d29f99 -r b5f21bb36684 src/regex.c --- a/src/regex.c Mon Nov 16 12:00:38 2009 +0900 +++ b/src/regex.c Tue Nov 17 23:41:39 2009 +0900 @@ -112,6 +112,7 @@ #define INC_IBYTEPTR_FMT(p, fmt) ((p)++) #define DEC_IBYTEPTR(p) ((p)--) #define DEC_IBYTEPTR_FMT(p, fmt) ((p)--) +#define MAX_ICHAR_LEN 1 #define itext_ichar_len(ptr) 1 #define itext_ichar_len_fmt(ptr, fmt) 1 @@ -813,12 +814,11 @@ case exactn: mcnt = *p++; printf ("/exactn/%d", mcnt); - do + while (mcnt--) { - putchar ('/'); + putchar ('/'); putchar (*p++); } - while (--mcnt); break; case start_memory: @@ -3339,10 +3339,7 @@ /* `p' points to the location after where `c' came from. */ normal_char: { - /* XEmacs: modifications here for Mule. */ - /* `q' points to the beginning of the next char. */ - re_char *q = p; - + /* The following conditional synced to GNU Emacs 22.1. */ /* If no exactn currently being built. */ if (!pending_exact @@ -3350,18 +3347,19 @@ || pending_exact + *pending_exact + 1 != buf_end /* We have only one byte following the exactn for the count. */ - || ((unsigned int) (*pending_exact + (q - p)) >= - ((unsigned int) (1 << BYTEWIDTH) - 1)) - - /* If followed by a repetition operator. */ - || *q == '*' || *q == '^' + || *pending_exact >= (1 << BYTEWIDTH) - MAX_ICHAR_LEN + + /* If followed by a repetition operator. + If the lookahead fails because of end of pattern, any + trailing backslash will get caught later. */ + || (p != pend && (*p == '*' || *p == '^')) || ((syntax & RE_BK_PLUS_QM) - ? *q == '\\' && (q[1] == '+' || q[1] == '?') - : (*q == '+' || *q == '?')) + ? p + 1 < pend && *p == '\\' && (p[1] == '+' || p[1] == '?') + : p != pend && (*p == '+' || *p == '?')) || ((syntax & RE_INTERVALS) && ((syntax & RE_NO_BK_BRACES) - ? *q == '{' - : (q[0] == '\\' && q[1] == '{')))) + ? p != pend && *p == '{' + : p + 1 < pend && (p[0] == '\\' && p[1] == '{')))) { /* Start building a new exactn. */