From 982f3bbe4505507d6d27cf537e765bbc024754a7 Mon Sep 17 00:00:00 2001
From: jzmaddock <john@johnmaddock.co.uk>
Date: Thu, 23 Feb 2017 09:30:49 +0000
Subject: [PATCH] de-fuzz: need to fail when a named recursive subexpression
 refers to an invalid name.

---
 .../boost/regex/v4/basic_regex_creator.hpp    | 83 ++++++++++---------
 1 file changed, 45 insertions(+), 38 deletions(-)

diff --git a/include/boost/regex/v4/basic_regex_creator.hpp b/include/boost/regex/v4/basic_regex_creator.hpp
index 7ee47b3f..132ff84f 100644
--- a/include/boost/regex/v4/basic_regex_creator.hpp
+++ b/include/boost/regex/v4/basic_regex_creator.hpp
@@ -801,50 +801,57 @@ void basic_regex_creator<charT, traits>::fixup_recursions(re_syntax_base* state)
                //
                idx = m_pdata->get_id(static_cast<int>(idx));
             }
-            while(p)
+            if(idx < 0)
             {
-               if((p->type == syntax_element_startmark) && (static_cast<re_brace*>(p)->index == idx))
+               ok = false;
+            }
+            else
+            {
+               while(p)
                {
-                  //
-                  // We've found the target of the recursion, set the jump target:
-                  //
-                  static_cast<re_jump*>(state)->alt.p = p;
-                  ok = true;
-                  // 
-                  // Now scan the target for nested repeats:
-                  //
-                  p = p->next.p;
-                  int next_rep_id = 0;
-                  while(p)
+                  if((p->type == syntax_element_startmark) && (static_cast<re_brace*>(p)->index == idx))
                   {
-                     switch(p->type)
-                     {
-                     case syntax_element_rep:
-                     case syntax_element_dot_rep:
-                     case syntax_element_char_rep:
-                     case syntax_element_short_set_rep:
-                     case syntax_element_long_set_rep:
-                        next_rep_id = static_cast<re_repeat*>(p)->state_id;
-                        break;
-                     case syntax_element_endmark:
-                        if(static_cast<const re_brace*>(p)->index == idx)
-                           next_rep_id = -1;
-                        break;
-                     default: 
-                        break;
-                     }
-                     if(next_rep_id)
-                        break;
+                     //
+                     // We've found the target of the recursion, set the jump target:
+                     //
+                     static_cast<re_jump*>(state)->alt.p = p;
+                     ok = true;
+                     // 
+                     // Now scan the target for nested repeats:
+                     //
                      p = p->next.p;
-                  }
-                  if(next_rep_id > 0)
-                  {
-                     static_cast<re_recurse*>(state)->state_id = next_rep_id - 1;
-                  }
+                     int next_rep_id = 0;
+                     while(p)
+                     {
+                        switch(p->type)
+                        {
+                        case syntax_element_rep:
+                        case syntax_element_dot_rep:
+                        case syntax_element_char_rep:
+                        case syntax_element_short_set_rep:
+                        case syntax_element_long_set_rep:
+                           next_rep_id = static_cast<re_repeat*>(p)->state_id;
+                           break;
+                        case syntax_element_endmark:
+                           if(static_cast<const re_brace*>(p)->index == idx)
+                              next_rep_id = -1;
+                           break;
+                        default:
+                           break;
+                        }
+                        if(next_rep_id)
+                           break;
+                        p = p->next.p;
+                     }
+                     if(next_rep_id > 0)
+                     {
+                        static_cast<re_recurse*>(state)->state_id = next_rep_id - 1;
+                     }
 
-                  break;
+                     break;
+                  }
+                  p = p->next.p;
                }
-               p = p->next.p;
             }
             if(!ok)
             {