[Could cause OOB read in clients] Fix incorrect positive error code from pcre2_substitute() #481
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This has minor security implications.
pcre2_substitute()
callscheck_escape()
which returns a positive compile-error. Unfortunately, this is returned back to thepcre2_substitute()
caller, which interprets a non-negative code as meaning "substitute succeeded".This could cause the client to process the return string, assuming that it is null-terminated, and perform an out-of-bounds read.
Clients which use the
*blength
parameter to determine the length of the returned string are unaffected.The
pcre2test
application was itself affected: it would print garbage memory because it relies on the null terminator whenpcre2_substitute()
returns non-negative.