Commits

Evan Gates  committed 18599fe

check that backreferences are <= number of groups when reading s
arguments

  • Participants
  • Parent commits 252e097

Comments (0)

Files changed (1)

     if (!cmd->size)
         ++len; // need space for nul byte first time
     *q = '\0';
+
+    q = p; // check for bad back references
+    for (int escape = 0; *q; q++) {
+        if (escape) {
+            escape = 0;
+            if (isdigit(*q) && (size_t)('0' - *q) > cmd->regex->re_nsub) {
+                warn("back reference number (%c) greater than number of groups (%zu)",
+                     *q, cmd->regex->re_nsub);
+                return NULL;
+            }
+        }
+        else if (*q == '\\')
+            escape = 1;
+    }
     if (resize((void **)&cmd->text, &cmd->size, sizeof(*cmd->text), cmd->size + len, NULL, 1)) {
         serror();
         return NULL;