If the regex has more subexpressions than the number of elements allocated
in the regmatch_t array passed to regexec then proceed_next_node may
access the regmatch_t array outside its bounds.
No testcase added because even without this bug it would then crash in
pop_fail_stack which is bug 11053.
if (type == OP_BACK_REF)
{
Idx subexp_idx = dfa->nodes[node].opr.idx + 1;
- naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
+ if (subexp_idx < nregs)
+ naccepted = regs[subexp_idx].rm_eo - regs[subexp_idx].rm_so;
if (fs != NULL)
{
- if (regs[subexp_idx].rm_so == -1 || regs[subexp_idx].rm_eo == -1)
+ if (subexp_idx >= nregs
+ || regs[subexp_idx].rm_so == -1
+ || regs[subexp_idx].rm_eo == -1)
return -1;
else if (naccepted)
{