From 24fcb49987b5ca2bfb64fcdb6c15ce0e9bf6d01f Mon Sep 17 00:00:00 2001 From: Aki Tuomi Date: Thu, 13 Feb 2025 09:36:02 +0200 Subject: [PATCH] lib-var-expand: Fix potential crash if referring to too large regexp capture group Using sizeof() will not give number of elements here. --- src/lib-var-expand/expansion-filter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lib-var-expand/expansion-filter.c b/src/lib-var-expand/expansion-filter.c index 8a42a6505f..b0ba1ef98a 100644 --- a/src/lib-var-expand/expansion-filter.c +++ b/src/lib-var-expand/expansion-filter.c @@ -831,7 +831,7 @@ static int fn_regexp(const struct var_expand_statement *stmt, /* looks like a placeholder */ str_append_data(dest, p0, p1 - p0); unsigned int g = p1[1] - '0'; - if (g >= sizeof(matches) || + if (g >= N_ELEMENTS(matches) || matches[g].rm_so == -1) { *error_r = "Invalid capture group"; ret = -1; -- 2.47.3