security-fix-3

[shubhangi-shrivastava]

No description provided.

[Copilot]

Pull request overview

This PR aims to harden reverse acceleration checks in the NFA runtime, likely to prevent out-of-bounds reads when evaluating reverse double-EOD (two-byte) acceleration.

Changes:

• Added length guards before performing 16-bit loads in ACCEL_RDEOD and ACCEL_RDEOD_NOCASE paths.
• Adjusted control flow to skip the accel check when the new guard fails.

Comments suppressed due to low confidence (2)

src/nfa/nfa_rev_api.h:113

• The new bounds check for ACCEL_RDEOD is off by one and doesn’t guarantee the u16 load is in-bounds. unaligned_load_u16(buffer + length - rAccelOffset) is safe when length >= rAccelOffset and rAccelOffset >= 2; the current length < rAccelOffset + 1 unnecessarily skips the safe length == rAccelOffset case, and still allows an out-of-bounds read if a corrupted NFA ever has rAccelOffset == 1.

    case ACCEL_RDEOD:
        DEBUG_PRINTF("ACCEL_RDEOD\n");
        if (length < nfa->rAccelOffset + 1) {
            break;
        }
        if (unaligned_load_u16(buffer + length - nfa->rAccelOffset) !=
                nfa->rAccelData.dc) {
            return 0;
        }

src/nfa/nfa_rev_api.h:123

• Same issue as ACCEL_RDEOD: the length < rAccelOffset + 1 check is stricter than necessary (skips length == rAccelOffset) and doesn’t protect the u16 load if rAccelOffset is ever 1 (e.g., corrupted/invalid NFA). For a 16-bit load, explicitly require rAccelOffset >= 2 and length >= rAccelOffset.

    case ACCEL_RDEOD_NOCASE:
        DEBUG_PRINTF("ACCEL_RDEOD_NOCASE\n");
        if (length < nfa->rAccelOffset + 1) {
            break;
        }
        if ((unaligned_load_u16(buffer + length - nfa->rAccelOffset) &
             DOUBLE_CASE_CLEAR) != nfa->rAccelData.dc) {
            return 0;
        }

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.