From a0cafd475e6f65a24268cbe251e273eb13b1c282 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= <des@des.dev>
Date: Tue, 30 Jul 2024 17:50:45 +0200
Subject: [PATCH] Limit wide characters to 8 hex digits.

This fixes a buffer overflow which was reported in #37.
---
 lib/tre-parse.c | 4 ++--
 tests/retest.c  | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/tre-parse.c b/lib/tre-parse.c
index 08b9d1f..7d056da 100644
--- a/lib/tre-parse.c
+++ b/lib/tre-parse.c
@@ -1484,7 +1484,7 @@ tre_parse(tre_parse_ctx_t *ctx)
 		  else if (ctx->re < ctx->re_end)
 		    {
 		      /* Wide char. */
-		      char tmp[32];
+		      char tmp[9]; /* max 8 hex digits + terminator */
 		      long val;
 		      int i = 0;
 		      ctx->re++;
@@ -1492,7 +1492,7 @@ tre_parse(tre_parse_ctx_t *ctx)
 			{
 			  if (ctx->re[0] == CHAR_RBRACE)
 			    break;
-			  if (tre_isxdigit(ctx->re[0]))
+			  if (tre_isxdigit(ctx->re[0]) && i < sizeof(tmp) - 1)
 			    {
 			      tmp[i] = (char)ctx->re[0];
 			      i++;
diff --git a/tests/retest.c b/tests/retest.c
index b6ac26f..6fe47c6 100644
--- a/tests/retest.c
+++ b/tests/retest.c
@@ -1388,8 +1388,8 @@ main(int argc, char **argv)
   test_nexec("\000", 1, 0, REG_OK, 0, 1, END);
   test_comp("\\x{}r", REG_EXTENDED, 0);
   test_nexec("\000r", 2, 0, REG_OK, 0, 2, END);
-  test_comp("\\x{00000000000000000000000000000000}", REG_EXTENDED, 0);
-  test_comp("\\x{000000000000000000000000000000000}", REG_EXTENDED, REG_EBRACE);
+  test_comp("\\x{00000000}", REG_EXTENDED, 0);
+  test_comp("\\x{000000000}", REG_EXTENDED, REG_EBRACE);
 
   /* Tests for (?inrU-inrU) and (?inrU-inrU:) */
   test_comp("foo(?i)bar", REG_EXTENDED, 0);