fix out of memory 0x27 0x2f 0x67 0x5c 0xff 0xff 0xff 0xff 0x26 0x29 0x29

diff --git a/src/regparse.c b/src/regparse.c
index 5af1c8cbdcb0e481e5bc36d1cfcadd15b3b597ca..6be83666c816ae9fc2f9ad3d5dfde053f23e20be 100644 (file)
--- a/src/regparse.c
+++ b/src/regparse.c
@@ -1997,8 +1997,8 @@ or_cclass(CClassNode* dest, CClassNode* cc, OnigEncoding enc)
     return 0;
 }
 
-static int
-conv_backslash_value(int c, ScanEnv* env)
+static OnigCodePoint
+conv_backslash_value(OnigCodePoint c, ScanEnv* env)
 {
   if (IS_SYNTAX_OP(env->syntax, ONIG_SYN_OP_ESC_CONTROL_CHARS)) {
     switch (c) {
@@ -2311,7 +2311,7 @@ fetch_range_quantifier(UChar** src, UChar* end, OnigToken* tok, ScanEnv* env)
 
 /* \M-, \C-, \c, or \... */
 static int
-fetch_escaped_value(UChar** src, UChar* end, ScanEnv* env)
+fetch_escaped_value(UChar** src, UChar* end, ScanEnv* env, OnigCodePoint* val)
 {
   int v;
   OnigCodePoint c;
@@ -2330,9 +2330,8 @@ fetch_escaped_value(UChar** src, UChar* end, ScanEnv* env)
       if (PEND) return ONIGERR_END_PATTERN_AT_META;
       PFETCH_S(c);
       if (c == MC_ESC(env->syntax)) {
-        v = fetch_escaped_value(&p, end, env);
+        v = fetch_escaped_value(&p, end, env, &c);
         if (v < 0) return v;
-        c = (OnigCodePoint )v;
       }
       c = ((c & 0xff) | 0x80);
     }
@@ -2360,9 +2359,8 @@ fetch_escaped_value(UChar** src, UChar* end, ScanEnv* env)
       }
       else {
         if (c == MC_ESC(env->syntax)) {
-          v = fetch_escaped_value(&p, end, env);
+          v = fetch_escaped_value(&p, end, env, &c);
           if (v < 0) return v;
-          c = (OnigCodePoint )v;
         }
         c &= 0x9f;
       }
@@ -2379,7 +2377,8 @@ fetch_escaped_value(UChar** src, UChar* end, ScanEnv* env)
   }
 
   *src = p;
-  return c;
+  *val = c;
+  return 0;
 }
 
 static int fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env);
@@ -2989,10 +2988,10 @@ fetch_token_in_cc(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
 
     default:
       PUNFETCH;
-      num = fetch_escaped_value(&p, end, env);
+      num = fetch_escaped_value(&p, end, env, &c2);
       if (num < 0) return num;
-      if (tok->u.c != num) {
-        tok->u.code = (OnigCodePoint )num;
+      if (tok->u.c != c2) {
+        tok->u.code = c2;
         tok->type   = TK_CODE_POINT;
       }
       break;
@@ -3485,16 +3484,20 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
       break;
 
     default:
-      PUNFETCH;
-      num = fetch_escaped_value(&p, end, env);
-      if (num < 0) return num;
-      /* set_raw: */
-      if (tok->u.c != num) {
-        tok->type = TK_CODE_POINT;
-        tok->u.code = (OnigCodePoint )num;
-      }
-      else { /* string */
-        p = tok->backp + enclen(enc, tok->backp);
+      {
+        OnigCodePoint c2;
+
+        PUNFETCH;
+        num = fetch_escaped_value(&p, end, env, &c2);
+        if (num < 0) return num;
+        /* set_raw: */
+        if (tok->u.c != c2) {
+          tok->type = TK_CODE_POINT;
+          tok->u.code = c2;
+        }
+        else { /* string */
+          p = tok->backp + enclen(enc, tok->backp);
+       }
       }
       break;
     }