Heap buffer overflow in CRegexSearcher

[angstsmurf]

When running The Elysium Enigma with Address Sanitizer on, it will abort with a heap-buffer-overflow error on the very first turn after pressing a key.

=================================================================
==50349==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x00010ab059e0 at pc 0x0001012026d4 bp 0x00016ef3d6b0 sp 0x00016ef3d6a8
READ of size 1 at 0x00010ab059e0 thread T0
    #0 0x1012026d0 in utf8_ptr::s_inc(char const*) utf8.h:362
    #1 0x10126a444 in utf8_ptr::inc(unsigned long*) utf8.h:155
    #2 0x101713f74 in CRegexSearcher::search(char const*, char const*, unsigned long, re_compiled_pattern_base const*, re_tuple const*, re_machine const*, re_group_register*, int*) vmregex.cpp:3950
    #3 0x101714c18 in CRegexSearcher::search_for_pattern(re_compiled_pattern const*, char const*, char const*, unsigned long, int*, re_group_register*) vmregex.cpp:4245
    #4 0x10144be6c in CRegexSearcherSimple::search_for_pattern(re_compiled_pattern const*, char const*, char const*, unsigned long, int*) vmregex.h:1206
    #5 0x10144df50 in re_replace_arg::search(char const*, int, char const*) vmfindrep.h:251
    #6 0x10142a9a8 in void vm_find_replace<1>(vm_val_t*, int, vm_val_t const*, char const*) vmfindrep.h:673
    #7 0x101428334 in CVmBifTADS::re_replace(unsigned int) vmbiftad.cpp:2827
    #8 0x101409180 in CVmBifTable::call_func(unsigned int, unsigned int, unsigned int) vmbifl.cpp:55
    #9 0x10173a198 in CVmRun::call_bif(unsigned int, unsigned int, unsigned int) vmrun.cpp:4330
    #10 0x10172d11c in CVmRun::run(unsigned char const*) vmrun.cpp:2818
    #11 0x10173fd70 in CVmRun::do_call(unsigned int, unsigned char const*, unsigned int, vm_rcdesc const*) vmrun.cpp:4731
    #12 0x10161d5f0 in CVmImageLoader::run(char const* const*, int, CVmRuntimeSymbols*, CVmRuntimeSymbols*, char const*) vmimage.cpp:931
    #13 0x10167c314 in vm_run_image(vm_run_image_params const*) vmmain.cpp:205
    #14 0x101683d88 in vm_run_image_main(CVmMainClientIfc*, char const*, int, char**, int, int, CVmHostIfc*) vmmain.cpp:854
    #15 0x100ef9890 in main_t3(int, char**) t23run.cpp:136
    #16 0x100ef8f4c in glk_main t23run.cpp:262
    #17 0x100efeed0 in main main.c:64
    #18 0x19df1be4c  (<unknown module>)

0x00010ab059e0 is located 0 bytes to the right of 1376-byte region [0x00010ab05480,0x00010ab059e0)
allocated by thread T0 here:
    #0 0x102666ca8 in wrap_malloc+0x94 (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3eca8)
    #1 0x1016c1144 in CVmVarHeapHybrid_malloc::alloc(unsigned long) vmobj.h:2788
    #2 0x1016bde54 in CVmVarHeapHybrid::alloc_mem(unsigned long, CVmObject*) vmobj.cpp:3690
    #3 0x10176e258 in CVmObjString::CVmObjString(unsigned long) vmstr.cpp:299
    #4 0x10176ce60 in CVmObjString::CVmObjString(unsigned long) vmstr.cpp:283
    #5 0x10176cdf4 in CVmObjString::create(int, unsigned long) vmstr.cpp:137
    #6 0x1017724c4 in CVmObjString::add_to_str(vm_val_t*, vm_val_t const*, vm_val_t const*) vmstr.cpp:779
    #7 0x101772010 in CVmObjString::add_val(vm_val_t*, unsigned int, vm_val_t const*) vmstr.cpp:705
    #8 0x10171b0c8 in CVmRun::compute_sum(vm_val_t*, vm_val_t const*) vmrun.cpp:220
    #9 0x10172e414 in CVmRun::run(unsigned char const*) vmrun.cpp:3097
    #10 0x10173fd70 in CVmRun::do_call(unsigned int, unsigned char const*, unsigned int, vm_rcdesc const*) vmrun.cpp:4731
    #11 0x10161d5f0 in CVmImageLoader::run(char const* const*, int, CVmRuntimeSymbols*, CVmRuntimeSymbols*, char const*) vmimage.cpp:931
    #12 0x10167c314 in vm_run_image(vm_run_image_params const*) vmmain.cpp:205
    #13 0x101683d88 in vm_run_image_main(CVmMainClientIfc*, char const*, int, char**, int, int, CVmHostIfc*) vmmain.cpp:854
    #14 0x100ef9890 in main_t3(int, char**) t23run.cpp:136
    #15 0x100ef8f4c in glk_main t23run.cpp:262
    #16 0x100efeed0 in main main.c:64
    #17 0x19df1be4c  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow utf8.h:362 in utf8_ptr::s_inc(char const*)
Shadow bytes around the buggy address:
  0x007021580ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x007021580b30: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x007021580b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x007021580b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007021580b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==50349==ABORTING