From: Serhiy Storchaka <storchaka@gmail.com>
Date: Tue, 4 Nov 2025 15:49:44 +0000 (+0200)
Subject: gh-140979: Fix off-by-one error in the RE code validator (GH-140984)
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1326d2a808245e5f2de9e515460bab30556e8f05;p=thirdparty%2FPython%2Fcpython.git

gh-140979: Fix off-by-one error in the RE code validator (GH-140984)

It was too lenient and allowed MARK opcodes with too large value.
---

diff --git a/Modules/_sre/sre.c b/Modules/_sre/sre.c
index fdf00e6499cb..4e97101b6998 100644
--- a/Modules/_sre/sre.c
+++ b/Modules/_sre/sre.c
@@ -1946,7 +1946,7 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
                sre_match() code is robust even if they don't, and the worst
                you can get is nonsensical match results. */
             GET_ARG;
-            if (arg > 2 * (size_t)groups + 1) {
+            if (arg >= 2 * (size_t)groups) {
                 VTRACE(("arg=%d, groups=%d\n", (int)arg, (int)groups));
                 FAIL;
             }