gh-140979: Fix off-by-one error in the RE code validator (GH-140984)

It was too lenient and allowed MARK opcodes with too large value.
2025-11-04 17:49:44 +02:00
parent fa9c3eefd4
commit 1326d2a808
1 changed files with 1 additions and 1 deletions
--- a/Modules/_sre/sre.c
+++ b/Modules/_sre/sre.c
@@ -1946,7 +1946,7 @@ _validate_inner(SRE_CODE *code, SRE_CODE *end, Py_ssize_t groups)
               sre_match() code is robust even if they don't, and the worst
               you can get is nonsensical match results. */
            GET_ARG;
-            if (arg > 2 * (size_t)groups + 1) {
+            if (arg >= 2 * (size_t)groups) {
                VTRACE(("arg=%d, groups=%d\n", (int)arg, (int)groups));
                FAIL;
            }