regexp.c recently got the ability to override the maximum number of captures by defining the MAXSUB macro, but regexp.h does not honor the new configuration macros, so is still hard-coded to 10:
Resub (defined in regexp.h to have a capture size of 10) is used in regexec() as if it has MAXSUB captures, but MAXSUB is a configurable macro definition which may exceed the hard-coded REG_MAXSUB from regexp.h, resulting in stack-smashing.
Solution: regexp.h absolutely needs to use the same value for REG_MAXSUB as the C file, and the docs need to warn users that the same value must be provided both when compiling the library and when including regexp.h from their client code. If they don't then the sizeof(Resub) will differ in different object files.
regexp.crecently got the ability to override the maximum number of captures by defining theMAXSUBmacro, butregexp.hdoes not honor the new configuration macros, so is still hard-coded to 10:https://github.com/ccxvii/mujs/blob/8c868344b207fbcaee4622fb6c0b97d1bd5c79a9/regexp.h#L31
Resub (defined in
regexp.hto have a capture size of 10) is used inregexec()as if it hasMAXSUBcaptures, butMAXSUBis a configurable macro definition which may exceed the hard-codedREG_MAXSUBfromregexp.h, resulting in stack-smashing.Solution:
regexp.habsolutely needs to use the same value forREG_MAXSUBas the C file, and the docs need to warn users that the same value must be provided both when compiling the library and when includingregexp.hfrom their client code. If they don't then thesizeof(Resub)will differ in different object files.