regexp match violates string bound

[Stephen J. Turnbull]

>>>>> "Ilya" == Ilya N Golubev <gin at mo.msk.ru> writes:

    Ilya> `re_search' when called by `string_match_1' may leave
    Ilya> `search_regs.end[1]' unchanged, even if it points beyond end
    Ilya> of data of STRING being searched in.  My build with mule
    Ilya> sometimes crashes on such a values, when
    Ilya> `fixup_search_regs_for_string' called by the same
    Ilya> `string_match_1' tries to process such an incorrect value
    Ilya> and traverse byte sequence that is not in mule internal
    Ilya> coding.

I don't see how that can happen, offhand.  I'll take a more careful
look later, but as far as I can see search_regs.end[i] should get
accessed only for registers that successfully matched in the current
search.  Can you be more specific about where the offending access is?

    Ilya> Whether the crash will occur depends on data beyond string
    Ilya> data bound, and that can not be reproduced reliably.
    Ilya> Incorrect `search_regs.end[1]' value, however, reproduces
    Ilya> even when evaluating the following code.

This is irrelevant.  First, there are no promises about the contents
of registers after an unsuccessful match, so "incorrect" is
inapplicable.  Second and more important, the following code

(string-match "\\(a\\)" "..a")
(match-string 1 "c")

is legal and must not crash.  So the code must be careful to check
bounds in strings here, and as far as I can tell it does.  Certainly
the particular example above signals an error.  Can you point more
specifically to the code that is causing the problem?


-- 
Institute of Policy and Planning Sciences     http://turnbull.sk.tsukuba.ac.jp
University of Tsukuba                    Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
               Ask not how you can "do" free software business;
              ask what your business can "do for" free software.