fix out of bounds read /[\p{/ (found by libfuzzer)

diff --git a/src/regparse.c b/src/regparse.c
index 9514e50610c0a94011232f60ce6ce06daf305383..5716d999e31071b9be5b1e4931358fd9913bb311 100644 (file)
--- a/src/regparse.c
+++ b/src/regparse.c
@@ -2890,6 +2890,8 @@ fetch_token_in_cc(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
 
     case 'p':
     case 'P':
+      if (PEND) break;
+
       c2 = PPEEK;
       if (c2 == '{' &&
          IS_SYNTAX_OP2(syn, ONIG_SYN_OP2_ESC_P_BRACE_CHAR_PROPERTY)) {
@@ -2897,7 +2899,7 @@ fetch_token_in_cc(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
        tok->type = TK_CHAR_PROPERTY;
        tok->u.prop.not = (c == 'P' ? 1 : 0);
 
-       if (IS_SYNTAX_OP2(syn, ONIG_SYN_OP2_ESC_P_BRACE_CIRCUMFLEX_NOT)) {
+       if (!PEND && IS_SYNTAX_OP2(syn, ONIG_SYN_OP2_ESC_P_BRACE_CIRCUMFLEX_NOT)) {
          PFETCH(c2);
          if (c2 == '^') {
            tok->u.prop.not = (tok->u.prop.not == 0 ? 1 : 0);