commit | 44f7d6ecde9bf7427a05cbe73ed5d668b8a72b2a | [log] [tgz] |
---|---|---|
author | jfkthame <jfkthame@gmail.com> | Fri Feb 17 03:03:24 2017 +0000 |
committer | Behdad Esfahbod <behdad@behdad.org> | Thu Feb 16 19:03:24 2017 -0800 |
tree | d3cc0f4bff1d117ac9b20430b627aaf7b7b19b28 | |
parent | 45766b673f427bb791c9d5886cadedfac0447066 [diff] |
Guard against underflow when adjusting length (#421) * Guard against underflow when adjusting length With the fuzz-testcase in mozilla bug 1295299, we end up with a recursed lookup that removes 3 items, when `match_positions[idx]` is 0, which results in (unsigned) `end` wrapping to a huge value. Making `end` a signed int is probably the simplest route to a fix. Fixes https://bugzilla.mozilla.org/show_bug.cgi?id=1295299. * Add testcase for #421.