ref: 5000749f5afe3b956fc916e407309de840997f4a
parent: 8c805b4eb19cf2af689c860b77e6111d2ee439d5
author: Tor Andersson <tor.andersson@artifex.com>
date: Wed Sep 21 12:02:11 EDT 2016
Fix bug 697141: buffer overrun in regexp string substitution. A '$' escape at the end of the string would read past the zero terminator when looking for the escaped character.
--- a/jsstring.c
+++ b/jsstring.c
@@ -421,6 +421,7 @@
while (*r) { if (*r == '$') { switch (*(++r)) {+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '`': js_putm(J, &sb, source, s); break;
case '\'': js_puts(J, &sb, s + n); break;
@@ -516,6 +517,7 @@
while (*r) { if (*r == '$') { switch (*(++r)) {+ case 0: --r; /* end of string; back up and fall through */
case '$': js_putc(J, &sb, '$'); break;
case '&': js_putm(J, &sb, s, s + n); break;
case '`': js_putm(J, &sb, source, s); break;