From: Aki Tuomi Date: Thu, 13 Feb 2025 07:36:02 +0000 (+0200) Subject: lib-var-expand: Fix potential crash if referring to too large regexp capture group X-Git-Tag: 2.4.1~204 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=24fcb49987b5ca2bfb64fcdb6c15ce0e9bf6d01f;p=thirdparty%2Fdovecot%2Fcore.git lib-var-expand: Fix potential crash if referring to too large regexp capture group Using sizeof() will not give number of elements here. --- diff --git a/src/lib-var-expand/expansion-filter.c b/src/lib-var-expand/expansion-filter.c index 8a42a6505f..b0ba1ef98a 100644 --- a/src/lib-var-expand/expansion-filter.c +++ b/src/lib-var-expand/expansion-filter.c @@ -831,7 +831,7 @@ static int fn_regexp(const struct var_expand_statement *stmt, /* looks like a placeholder */ str_append_data(dest, p0, p1 - p0); unsigned int g = p1[1] - '0'; - if (g >= sizeof(matches) || + if (g >= N_ELEMENTS(matches) || matches[g].rm_so == -1) { *error_r = "Invalid capture group"; ret = -1;