From e9cc309c4cd9f0c92bfb0638b1be8f984e9a5d98 Mon Sep 17 00:00:00 2001
From: Nick Wilson <niwilson@microsoft.com>
Date: Fri, 27 Sep 2024 13:16:57 +0100
Subject: [PATCH] Fix two small issues with substitution nulls

---
 src/pcre2_substitute.c | 13 +++++++------
 testdata/testinput2    |  3 +++
 testdata/testoutput2   |  4 ++++
 3 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/src/pcre2_substitute.c b/src/pcre2_substitute.c
index debbbd54e..5563a6f69 100644
--- a/src/pcre2_substitute.c
+++ b/src/pcre2_substitute.c
@@ -514,8 +514,9 @@ do
 
     save_start = start_offset++;
     if (subject[start_offset-1] == CHAR_CR &&
-        code->newline_convention != PCRE2_NEWLINE_CR &&
-        code->newline_convention != PCRE2_NEWLINE_LF &&
+        (code->newline_convention == PCRE2_NEWLINE_CRLF ||
+         code->newline_convention == PCRE2_NEWLINE_ANY ||
+         code->newline_convention == PCRE2_NEWLINE_ANYCRLF) &&
         start_offset < length &&
         subject[start_offset] == CHAR_LF)
       start_offset++;
@@ -824,10 +825,10 @@ do
           PCRE2_SPTR mark = pcre2_get_mark(match_data);
           if (mark != NULL)
             {
-            PCRE2_SPTR mark_start = mark;
-            while (*mark != 0) mark++;
-            fraglength = mark - mark_start;
-            CHECKMEMCPY(mark_start, fraglength);
+            /* Peek backwards one code unit to obtain the length of the mark.
+            It can (theoretically) contain an embedded NUL. */
+            fraglength = mark[-1];
+            CHECKMEMCPY(mark, fraglength);
             }
           }
         else goto BAD;
diff --git a/testdata/testinput2 b/testdata/testinput2
index 11f7d1566..452b25209 100644
--- a/testdata/testinput2
+++ b/testdata/testinput2
@@ -4208,6 +4208,9 @@
 /(*:pear)apple|(*:orange)lemon|(*:strawberry)blackberry/g,replace=[23]${*MARK}
     apple lemon blackberry
 
+/"(*:fruit" 00 "juice)apple"/hex,g,replace=${*MARK}
+    apple lemon blackberry
+
 /abc/
     123abc123\=replace=[9]XYZ
     123abc123\=substitute_overflow_length,replace=[9]XYZ
diff --git a/testdata/testoutput2 b/testdata/testoutput2
index b82328f72..d6a00f076 100644
--- a/testdata/testoutput2
+++ b/testdata/testoutput2
@@ -13860,6 +13860,10 @@ Failed: error -48: no more memory: 23 code units are needed
     apple lemon blackberry
  3: pear orange strawberry
 
+/"(*:fruit" 00 "juice)apple"/hex,g,replace=${*MARK}
+    apple lemon blackberry
+ 1: fruit\x00juice lemon blackberry
+
 /abc/
     123abc123\=replace=[9]XYZ
 Failed: error -48: no more memory