/usr/src/usr.bin/vi/build/../ex/ex

Bug Summary

File:	src/usr.bin/vi/build/../ex/ex_subst.c
Warning:	line 211, column 11 Dereference of null pointer
Annotated Source Code

Press '?' to see keyboard shortcuts
Show analyzer invocation
clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name ex_subst.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/vi/build/obj -resource-dir /usr/local/lib/clang/13.0.0 -I /usr/src/usr.bin/vi/build -I /usr/src/usr.bin/vi/build/../include -I . -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/vi/build/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/vi/build/../ex/ex_subst.c
1/*	$OpenBSD: ex_subst.c,v 1.30 2017/04/18 01:45:35 deraadt Exp $	*/

3/*-
* Copyright (c) 1992, 1993, 1994
*	The Regents of the University of California.  All rights reserved.
* Copyright (c) 1992, 1993, 1994, 1995, 1996
*	Keith Bostic.  All rights reserved.
*
* See the LICENSE file for redistribution information.
*/

12#include "config.h"

14#include <sys/queue.h>
15#include <sys/time.h>

17#include <bitstring.h>
18#include <ctype.h>
19#include <errno(*__errno()).h>
20#include <limits.h>
21#include <stdio.h>
22#include <stdlib.h>
23#include <string.h>
24#include <unistd.h>

26#include "../common/common.h"
27#include "../vi/vi.h"

29#define MAXIMUM(a, b)(((a) > (b)) ? (a) : (b))	(((a) > (b)) ? (a) : (b))

31#define	SUB_FIRST0x01	0x01		/* The 'r' flag isn't reasonable. */
32#define	SUB_MUSTSETR0x02	0x02		/* The 'r' flag is required. */

34static int re_conv(SCR *, char **, size_t *, int *);
35static int re_sub(SCR *, char *, char **, size_t *, size_t *, regmatch_t [10]);
36static int re_tag_conv(SCR *, char **, size_t *, int *);
37static int s(SCR *, EXCMD *, char *, regex_t *, u_int);

39/*
* ex_s --
*	[line [,line]] s[ubstitute] [[/;]pat[/;]/repl[/;] [cgr] [count] [#lp]]
*
*	Substitute on lines matching a pattern.
*
* PUBLIC: int ex_s(SCR *, EXCMD *);
*/
47int
48ex_s(SCR *sp, EXCMD *cmdp)
49{
regex_t *re;
size_t blen, len;
u_int flags;
int delim;
char *bp, *ptrn, *rep, *p, *t;

/*
* Skip leading white space.
*
* !!!
* Historic vi allowed any non-alphanumeric to serve as the
* substitution command delimiter.
*
* !!!
* If the arguments are empty, it's the same as &, i.e. we
* repeat the last substitution.
*/
if (cmdp->argc == 0)
1
Assuming field 'argc' is not equal to 0→
2
←
Taking false branch→
goto subagain;
for (p = cmdp->argv[0]->bp,
4
←
Loop condition is true.  Entering loop body→
   len = cmdp->argv[0]->len; len > 0; --len, ++p) {
3
←
Assuming 'len' is > 0→
if (!isblank(*p))
5
←
Taking true branch→
	break;
6
←
 Execution continues on line 74→
}
if (len6.1
'len' is not equal to 0
 == 0)
7
←
Taking false branch→
75subagain:	return (ex_subagain(sp, cmdp));

delim = *p++;
if (isalnum(delim) || delim == '\\')
8
←
Assuming the condition is false→
9
←
Taking false branch→
return (s(sp, cmdp, p, &sp->subre_c, SUB_MUSTSETR0x02));

/*
* !!!
* The full-blown substitute command reset the remembered
* state of the 'c' and 'g' suffices.
*/
sp->c_suffix = sp->g_suffix = 0;

/*
* Get the pattern string, toss escaping characters.
*
* !!!
* Historic vi accepted any of the following forms:
*
*	:s/abc/def/		change "abc" to "def"
*	:s/abc/def		change "abc" to "def"
*	:s/abc/			delete "abc"
*	:s/abc			delete "abc"
*
* QUOTING NOTE:
*
* Only toss an escaping character if it escapes a delimiter.
* This means that "s/A/\\\\f" replaces "A" with "\\f".  It
* would be nice to be more regular, i.e. for each layer of
* escaping a single escaping character is removed, but that's
* not how the historic vi worked.
*/
for (ptrn = t = p;;) {
10
←
Loop condition is true.  Entering loop body→
if (p[0] == '\0' || p[0] == delim) {
11
←
Assuming the condition is false→
12
←
Assuming the condition is true→
13
←
Taking true branch→
	if (p[0] == delim)
14
←
Taking true branch→
		++p;
	/*
	 * !!!
	 * Nul terminate the pattern string -- it's passed
	 * to regcomp which doesn't understand anything else.
	 */
	*t = '\0';
	break;
15
←
 Execution continues on line 132→
}
if (p[0] == '\\') {
	if (p[1] == delim)
		++p;
	else if (p[1] == '\\')
		*t++ = *p++;
}
*t++ = *p++;
}

/*
* If the pattern string is empty, use the last RE (not just the
* last substitution RE).
*/
if (*ptrn == '\0') {
16
←
Taking true branch→
if (sp->re == NULL((void *)0)) {
17
←
Assuming field 're' is not equal to NULL→
18
←
Taking false branch→
	ex_emsg(sp, NULL((void *)0), EXM_NOPREVRE);
	return (1);
}

/* Re-compile the RE if necessary. */
if (!F_ISSET(sp, SC_RE_SEARCH)(((sp)->flags) & ((0x00400000))) && re_compile(sp,
19
←
Assuming the condition is false→
    sp->re, sp->re_len, NULL((void *)0), NULL((void *)0), &sp->re_c, RE_C_SEARCH0x0002))
	return (1);
flags = 0;
} else {
/*
 * !!!
 * Compile the RE.  Historic practice is that substitutes set
 * the search direction as well as both substitute and search
 * RE's.  We compile the RE twice, as we don't want to bother
 * ref counting the pattern string and (opaque) structure.
 */
if (re_compile(sp, ptrn, t - ptrn,
    &sp->re, &sp->re_len, &sp->re_c, RE_C_SEARCH0x0002))
	return (1);
if (re_compile(sp, ptrn, t - ptrn,
    &sp->subre, &sp->subre_len, &sp->subre_c, RE_C_SUBST0x0008))
	return (1);

flags = SUB_FIRST0x01;
sp->searchdir = FORWARD;
}
re = &sp->re_c;

/*
* Get the replacement string.
*
* The special character & (\& if O_MAGIC not set) matches the
* entire RE.  No handling of & is required here, it's done by
* re_sub().
*
* The special character ~ (\~ if O_MAGIC not set) inserts the
* previous replacement string into this replacement string.
* Count ~'s to figure out how much space we need.  We could
* special case nonexistent last patterns or whether or not
* O_MAGIC is set, but it's probably not worth the effort.
*
* QUOTING NOTE:
*
* Only toss an escaping character if it escapes a delimiter or
* if O_MAGIC is set and it escapes a tilde.
*
* !!!
* If the entire replacement pattern is "%", then use the last
* replacement pattern.  This semantic was added to vi in System
* V and then percolated elsewhere, presumably around the time
* that it was added to their version of ed(1).
*/
if (p[0] == '\0' || p[0] == delim) {
20
←
Assuming the condition is false→
21
←
Assuming the condition is false→
22
←
Taking false branch→
if (p[0] == delim)
	++p;
free(sp->repl);
sp->repl = NULL((void *)0);
sp->repl_len = 0;
} else if (p[0] == '%' && (p[1] == '\0' || p[1] == delim))
23
←
Assuming the condition is false→
p += p[1] == delim ? 2 : 1;
else {
for (rep = p, len = 0;
24
←
Loop condition is true.  Entering loop body→
29
←
Loop condition is true.  Entering loop body→
34
←
Loop condition is true.  Entering loop body→
    p[0] != '\0' && p[0] != delim; ++p, ++len)
27
←
Assuming the condition is true→
28
←
Assuming the condition is true→
32
←
Assuming the condition is true→
33
←
Assuming the condition is true→
37
←
Assuming the condition is false→
	if (p[0] == '~')
25
←
Assuming the condition is false→
26
←
Taking false branch→
30
←
Assuming the condition is false→
31
←
Taking false branch→
35
←
Assuming the condition is true→
36
←
Taking true branch→
		len += sp->repl_len;
GET_SPACE_RET(sp, bp, blen, len){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((len)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp)),
 &((blen)), ((len)))) == ((void *)0)) return (1); ((bp)) =
 L__bincp; } }; } else { { void *L__bincp; if (((len)) > (
L__gp->tmp_blen)) { if ((L__bincp = binc(((sp)), (L__gp->
tmp_bp), &(L__gp->tmp_blen), ((len)))) == ((void *)0))
 return (1); (L__gp->tmp_bp) = L__bincp; } }; (bp) = L__gp
->tmp_bp; (blen) = L__gp->tmp_blen; (((L__gp)->flags
) |= ((0x0100))); } };
38
←
'?' condition is false→
39
←
Assuming 'L__gp' is equal to null→
40
←
Assuming 'len' is <= 'blen'→
41
←
Taking false branch→
for (t = bp, len = 0, p = rep;;) {
42
←
Loop condition is true.  Entering loop body→
	if (p[0] == '\0' || p[0] == delim) {
43
←
Taking false branch→
		if (p[0] == delim)
			++p;
		break;
	}
	if (p[0] == '\\') {
44
←
Assuming the condition is true→
45
←
Taking true branch→
		if (p[1] == delim)
46
←
Taking false branch→
			++p;
		else if (p[1] == '\\') {
47
←
Assuming the condition is true→
48
←
Taking true branch→
			*t++ = *p++;
49
←
Null pointer value stored to 't'→
50
←
Dereference of null pointer
			++len;
		} else if (p[1] == '~') {
			++p;
			if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val))
				goto tilde;
		}
	} else if (p[0] == '~' && O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
219tilde:				++p;
		memcpy(t, sp->repl, sp->repl_len);
		t += sp->repl_len;
		len += sp->repl_len;
		continue;
	}
	*t++ = *p++;
	++len;
}
if ((sp->repl_len = len) != 0) {
	free(sp->repl);
	if ((sp->repl = malloc(len)) == NULL((void *)0)) {
		msgq(sp, M_SYSERR, NULL((void *)0));
		FREE_SPACE(sp, bp, blen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) (((L__gp)->flags) &= ~((0x0100))); else free(bp); };
		return (1);
	}
	memcpy(sp->repl, bp, len);
}
FREE_SPACE(sp, bp, blen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) (((L__gp)->flags) &= ~((0x0100))); else free(bp); };
}
return (s(sp, cmdp, p, re, flags));
240}

242/*
* ex_subagain --
*	[line [,line]] & [cgr] [count] [#lp]]
*
*	Substitute using the last substitute RE and replacement pattern.
*
* PUBLIC: int ex_subagain(SCR *, EXCMD *);
*/
250int
251ex_subagain(SCR *sp, EXCMD *cmdp)
252{
if (sp->subre == NULL((void *)0)) {
ex_emsg(sp, NULL((void *)0), EXM_NOPREVRE);
return (1);
}
if (!F_ISSET(sp, SC_RE_SUBST)(((sp)->flags) & ((0x00800000))) && re_compile(sp,
   sp->subre, sp->subre_len, NULL((void *)0), NULL((void *)0), &sp->subre_c, RE_C_SUBST0x0008))
return (1);
return (s(sp,
   cmdp, cmdp->argc ? cmdp->argv[0]->bp : NULL((void *)0), &sp->subre_c, 0));
262}

264/*
* ex_subtilde --
*	[line [,line]] ~ [cgr] [count] [#lp]]
*
*	Substitute using the last RE and last substitute replacement pattern.
*
* PUBLIC: int ex_subtilde(SCR *, EXCMD *);
*/
272int
273ex_subtilde(SCR *sp, EXCMD *cmdp)
274{
if (sp->re == NULL((void *)0)) {
ex_emsg(sp, NULL((void *)0), EXM_NOPREVRE);
return (1);
}
if (!F_ISSET(sp, SC_RE_SEARCH)(((sp)->flags) & ((0x00400000))) && re_compile(sp,
   sp->re, sp->re_len, NULL((void *)0), NULL((void *)0), &sp->re_c, RE_C_SEARCH0x0002))
return (1);
return (s(sp,
   cmdp, cmdp->argc ? cmdp->argv[0]->bp : NULL((void *)0), &sp->re_c, 0));
284}

286/*
* s --
* Do the substitution.  This stuff is *really* tricky.  There are lots of
* special cases, and general nastiness.  Don't mess with it unless you're
* pretty confident.
* 
* The nasty part of the substitution is what happens when the replacement
* string contains newlines.  It's a bit tricky -- consider the information
* that has to be retained for "s/f\(o\)o/^M\1^M\1/".  The solution here is
* to build a set of newline offsets which we use to break the line up later,
* when the replacement is done.  Don't change it unless you're *damned*
* confident.
*/
299#define	NEEDNEWLINE(sp){ if ((sp)->newl_len == (sp)->newl_cnt) { (sp)->newl_len
 += 25; { void *tmpp; if (((tmpp) = (reallocarray(((sp)->newl
), ((sp)->newl_len), (sizeof(size_t))))) == ((void *)0)) {
 msgq(((sp)), M_SYSERR, ((void *)0)); free((sp)->newl); } (
sp)->newl = tmpp; }; if ((sp)->newl == ((void *)0)) { (
sp)->newl_len = 0; return (1); } } } {						\
if ((sp)->newl_len == (sp)->newl_cnt) {				\
(sp)->newl_len += 25;					\
REALLOCARRAY((sp), (sp)->newl,				\{ void *tmpp; if (((tmpp) = (reallocarray(((sp)->newl), ((
sp)->newl_len), (sizeof(size_t))))) == ((void *)0)) { msgq
(((sp)), M_SYSERR, ((void *)0)); free((sp)->newl); } (sp)->
newl = tmpp; }
    (sp)->newl_len, sizeof(size_t)){ void *tmpp; if (((tmpp) = (reallocarray(((sp)->newl), ((
sp)->newl_len), (sizeof(size_t))))) == ((void *)0)) { msgq
(((sp)), M_SYSERR, ((void *)0)); free((sp)->newl); } (sp)->
newl = tmpp; };			\
if ((sp)->newl == NULL((void *)0)) {				\
	(sp)->newl_len = 0;				\
	return (1);					\
}							\
}								\
309}

311#define	BUILD(sp, l, len){ if (lbclen + (len) > lblen) { lblen += (((lbclen + (len)
) > (256)) ? (lbclen + (len)) : (256)); { void *tmpp; if (
((tmpp) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((
sp)), M_SYSERR, ((void *)0)); free(lb); } lb = tmpp; }; if (lb
 == ((void *)0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen
, (l), (len)); lbclen += (len); } {						\
if (lbclen + (len) > lblen) {					\
lblen += MAXIMUM(lbclen + (len), 256)(((lbclen + (len)) > (256)) ? (lbclen + (len)) : (256));			\
REALLOC((sp), lb, lblen){ void *tmpp; if (((tmpp) = (realloc((lb), (lblen)))) == ((void
 *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free(lb); } lb =
 tmpp; };				\
if (lb == NULL((void *)0)) {					\
	lbclen = 0;					\
	return (1);					\
}							\
}								\
memcpy(lb + lbclen, (l), (len));				\
lbclen += (len);						\
322}

324#define	NEEDSP(sp, len, pnt){ if (lbclen + (len) > lblen) { lblen += (((lbclen + (len)
) > (256)) ? (lbclen + (len)) : (256)); { void *tmpp; if (
((tmpp) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((
sp)), M_SYSERR, ((void *)0)); free(lb); } lb = tmpp; }; if (lb
 == ((void *)0)) { lbclen = 0; return (1); } (pnt) = lb + lbclen
; } } {						\
if (lbclen + (len) > lblen) {					\
lblen += MAXIMUM(lbclen + (len), 256)(((lbclen + (len)) > (256)) ? (lbclen + (len)) : (256));			\
REALLOC((sp), lb, lblen){ void *tmpp; if (((tmpp) = (realloc((lb), (lblen)))) == ((void
 *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free(lb); } lb =
 tmpp; };				\
if (lb == NULL((void *)0)) {					\
	lbclen = 0;					\
	return (1);					\
}							\
(pnt) = lb + lbclen;					\
}								\
334}

336static int
337s(SCR *sp, EXCMD *cmdp, char *s, regex_t *re, u_int flags)
338{
EVENT ev;
MARK from, to;
TEXTH tiq;
recno_t elno, lno, slno;
regmatch_t match[10];
size_t blen, cnt, last, lbclen, lblen, len, llen;
size_t offset, saved_offset, scno;
int lflag, nflag, pflag, rflag;
int didsub, do_eol_match, eflags, nempty, eval;
int linechanged, matched, quit, rval;
unsigned long ul;
char *bp, *lb;

NEEDFILE(sp, cmdp){ if ((sp)->ep == ((void *)0)) { ex_emsg((sp), (cmdp)->
cmd->name, EXM_NOFILEYET); return (1); } };

slno = sp->lno;
scno = sp->cno;

/*
* !!!
* Historically, the 'g' and 'c' suffices were always toggled as flags,
* so ":s/A/B/" was the same as ":s/A/B/ccgg".  If O_EDCOMPATIBLE was
* not set, they were initialized to 0 for all substitute commands.  If
* O_EDCOMPATIBLE was set, they were initialized to 0 only if the user
* specified substitute/replacement patterns (see ex_s()).
*/
if (!O_ISSET(sp, O_EDCOMPATIBLE)((((&(((sp)))->opts[(((O_EDCOMPATIBLE)))])->flags) &
 ((0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_EDCOMPATIBLE
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_EDCOMPATIBLE
)))].o_cur.val))
sp->c_suffix = sp->g_suffix = 0;

/*
* Historic vi permitted the '#', 'l' and 'p' options in vi mode, but
* it only displayed the last change.  I'd disallow them, but they are
* useful in combination with the [v]global commands.  In the current
* model the problem is combining them with the 'c' flag -- the screen
* would have to flip back and forth between the confirm screen and the
* ex print screen, which would be pretty awful.  We do display all
* changes, though, for what that's worth.
*
* !!!
* Historic vi was fairly strict about the order of "options", the
* count, and "flags".  I'm somewhat fuzzy on the difference between
* options and flags, anyway, so this is a simpler approach, and we
* just take it them in whatever order the user gives them.  (The ex
* usage statement doesn't reflect this.)
*/
lflag = nflag = pflag = rflag = 0;
if (s == NULL((void *)0))
goto noargs;
for (lno = OOBLNO0; *s != '\0'; ++s)
switch (*s) {
case ' ':
case '\t':
	continue;
case '+':
	++cmdp->flagoff;
	break;
case '-':
	--cmdp->flagoff;
	break;
case '0': case '1': case '2': case '3': case '4':
case '5': case '6': case '7': case '8': case '9':
	if (lno != OOBLNO0)
		goto usage;
	errno(*__errno()) = 0;
	if ((ul = strtoul(s, &s, 10)) >= UINT_MAX(2147483647 *2U +1U))
		errno(*__errno()) = ERANGE34;
	if (*s == '\0')		/* Loop increment correction. */
		--s;
	if (errno(*__errno()) == ERANGE34) {
		if (ul >= UINT_MAX(2147483647 *2U +1U))
			msgq(sp, M_ERR, "Count overflow");
		else
			msgq(sp, M_SYSERR, NULL((void *)0));
		return (1);
	}
	lno = (recno_t)ul;
	/*
	 * In historic vi, the count was inclusive from the
	 * second address.
	 */
	cmdp->addr1.lno = cmdp->addr2.lno;
	cmdp->addr2.lno += lno - 1;
	if (!db_exist(sp, cmdp->addr2.lno) &&
	    db_last(sp, &cmdp->addr2.lno))
		return (1);
	break;
case '#':
	nflag = 1;
	break;
case 'c':
	sp->c_suffix = !sp->c_suffix;

	/* Ex text structure initialization. */
	if (F_ISSET(sp, SC_EX)(((sp)->flags) & ((0x00000001)))) {
		memset(&tiq, 0, sizeof(TEXTH));
		TAILQ_INIT(&tiq)do { (&tiq)->tqh_first = ((void *)0); (&tiq)->tqh_last
 = &(&tiq)->tqh_first; } while (0);
	}
	break;
case 'g':
	sp->g_suffix = !sp->g_suffix;
	break;
case 'l':
	lflag = 1;
	break;
case 'p':
	pflag = 1;
	break;
case 'r':
	if (LF_ISSET(SUB_FIRST)((flags) & ((0x01)))) {
		msgq(sp, M_ERR,
    "Regular expression specified; r flag meaningless");
		return (1);
	}
	if (!F_ISSET(sp, SC_RE_SEARCH)(((sp)->flags) & ((0x00400000)))) {
		ex_emsg(sp, NULL((void *)0), EXM_NOPREVRE);
		return (1);
	}
	rflag = 1;
	re = &sp->re_c;
	break;
default:
	goto usage;
}

if (*s != '\0' || (!rflag && LF_ISSET(SUB_MUSTSETR)((flags) & ((0x02))))) {
464usage:		ex_emsg(sp, cmdp->cmd->usage, EXM_USAGE);
return (1);
}

468noargs:	if (F_ISSET(sp, SC_VI)(((sp)->flags) & ((0x00000002))) && sp->c_suffix && (lflag || nflag || pflag)) {
msgq(sp, M_ERR,
470"The #, l and p flags may not be combined with the c flag in vi mode");
return (1);
}

/*
* bp:		if interactive, line cache
* blen:	if interactive, line cache length
* lb:		build buffer pointer.
* lbclen:	current length of built buffer.
* lblen;	length of build buffer.
*/
bp = lb = NULL((void *)0);
blen = lbclen = lblen = 0;

/* For each line... */
for (matched = quit = 0, lno = cmdp->addr1.lno,
   elno = cmdp->addr2.lno; !quit && lno <= elno; ++lno) {

/* Someone's unhappy, time to stop. */
if (INTERRUPTED(sp)(((((sp)->gp)->flags) & ((0x0004))) || (!v_event_get
((sp), ((void *)0), 0, 0x001) && ((((sp)->gp)->
flags) & ((0x0004))))))
	break;

/* Get the line. */
if (db_get(sp, lno, DBG_FATAL0x001, &s, &llen))
	goto err;

/*
 * Make a local copy if doing confirmation -- when calling
 * the confirm routine we're likely to lose the cached copy.
 */
if (sp->c_suffix) {
	if (bp == NULL((void *)0)) {
		GET_SPACE_RET(sp, bp, blen, llen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((llen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp))
, &((blen)), ((llen)))) == ((void *)0)) return (1); ((bp)
) = L__bincp; } }; } else { { void *L__bincp; if (((llen)) >
 (L__gp->tmp_blen)) { if ((L__bincp = binc(((sp)), (L__gp->
tmp_bp), &(L__gp->tmp_blen), ((llen)))) == ((void *)0)
) return (1); (L__gp->tmp_bp) = L__bincp; } }; (bp) = L__gp
->tmp_bp; (blen) = L__gp->tmp_blen; (((L__gp)->flags
) |= ((0x0100))); } };
	} else
		ADD_SPACE_RET(sp, bp, blen, llen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) { (((L__gp)->flags) &= ~((0x0100))); { void *L__bincp
; if (((llen)) > (L__gp->tmp_blen)) { if ((L__bincp = binc
(((sp)), (L__gp->tmp_bp), &(L__gp->tmp_blen), ((llen
)))) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp
; } }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (
((L__gp)->flags) |= ((0x0100))); } else { void *L__bincp; if
 (((llen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp
)), &((blen)), ((llen)))) == ((void *)0)) return (1); ((bp
)) = L__bincp; } }; };
	memcpy(bp, s, llen);
	s = bp;
}

/* Start searching from the beginning. */
offset = 0;
len = llen;

/* Reset the build buffer offset. */
lbclen = 0;

/* Reset empty match test variable. */
nempty = -1;

/*
 * We don't want to have to do a setline if the line didn't
 * change -- keep track of whether or not this line changed.
 * If doing confirmations, don't want to keep setting the
 * line if change is refused -- keep track of substitutions.
 */
didsub = linechanged = 0;

/* New line, do an EOL match. */
do_eol_match = 1;

/* It's not nul terminated, but we pretend it is. */
eflags = REG_STARTEND00004;

/* The search area is from s + offset to the EOL.  */
534nextmatch:	match[0].rm_so = offset;
match[0].rm_eo = llen;

/* Get the next match. */
eval = regexec(re, (char *)s, 10, match, eflags);

/*
 * There wasn't a match or if there was an error, deal with
 * it.  If there was a previous match in this line, resolve
 * the changes into the database.  Otherwise, just move on.
 */
if (eval == REG_NOMATCH1)
	goto endmatch;
if (eval != 0) {
	re_error(sp, eval, re);
	goto err;
}
matched = 1;

/* Only the first search can match an anchored expression. */
eflags |= REG_NOTBOL00001;

/*
 * !!!
 * It's possible to match 0-length strings -- for example, the
 * command s;a*;X;, when matched against the string "aabb" will
 * result in "XbXbX", i.e. the matches are "aa", the space
 * between the b's and the space between the b's and the end of
 * the string.  There is a similar space between the beginning
 * of the string and the a's.  The rule that we use (because vi
 * historically used it) is that any 0-length match, occurring
 * immediately after a match, is ignored.  Otherwise, the above
 * example would have resulted in "XXbXbX".  Another example is
 * incorrectly using " *" to replace groups of spaces with one
 * space.
 *
 * If the match is empty and at the same place as the end of the
 * previous match, ignore the match and move forward.  If
 * there's no more characters in the string, we were
 * attempting to match after the last character, so quit.
 */
if (match[0].rm_so == nempty && match[0].rm_eo == nempty) {
	nempty = -1;
	if (len == 0)
		goto endmatch;
	BUILD(sp, s + offset, 1){ if (lbclen + (1) > lblen) { lblen += (((lbclen + (1)) >
 (256)) ? (lbclen + (1)) : (256)); { void *tmpp; if (((tmpp) =
 (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((sp)), M_SYSERR
, ((void *)0)); free(lb); } lb = tmpp; }; if (lb == ((void *)
0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen, (s + offset
), (1)); lbclen += (1); }
	++offset;
	--len;
	goto nextmatch;
}

/* Confirm change. */
if (sp->c_suffix) {
	/*
	 * Set the cursor position for confirmation.  Note,
	 * if we matched on a '$', the cursor may be past
	 * the end of line.
	 */
	from.lno = to.lno = lno;
	from.cno = match[0].rm_so;
	to.cno = match[0].rm_eo;
	/*
	 * Both ex and vi have to correct for a change before
	 * the first character in the line.
	 */
	if (llen == 0)
		from.cno = to.cno = 0;
	if (F_ISSET(sp, SC_VI)(((sp)->flags) & ((0x00000002)))) {
		/*
		 * Only vi has to correct for a change after
		 * the last character in the line.
		 *
		 * XXX
		 * It would be nice to change the vi code so
		 * that we could display a cursor past EOL.
		 */
		if (to.cno >= llen)
			to.cno = llen - 1;
		if (from.cno >= llen)
			from.cno = llen - 1;

		sp->lno = from.lno;
		sp->cno = from.cno;
		if (vs_refresh(sp, 1))
			goto err;

		vs_update(sp, "Confirm change? [n]", NULL((void *)0));

		if (v_event_get(sp, &ev, 0, 0))
			goto err;
		switch (ev.e_event) {
		case E_CHARACTER:
			break;
		case E_EOF:
		case E_ERR:
		case E_INTERRUPT:
			goto lquit;
		default:
			v_event_err(sp, &ev);
			goto lquit;
		}
	} else {
		if (ex_print(sp, cmdp, &from, &to, 0) ||
		    ex_scprint(sp, &from, &to))
			goto lquit;
		if (ex_txt(sp, &tiq, 0, TXT_CR0x00000800))
			goto err;
		ev.e_c_u_event._e_ch.c = TAILQ_FIRST(&tiq)((&tiq)->tqh_first)->lb[0];
	}

	switch (ev.e_c_u_event._e_ch.c) {
	case CH_YES'y':
		break;
	default:
	case CH_NO'n':
		didsub = 0;
		BUILD(sp, s + offset, match[0].rm_eo - offset){ if (lbclen + (match[0].rm_eo - offset) > lblen) { lblen +=
 (((lbclen + (match[0].rm_eo - offset)) > (256)) ? (lbclen
 + (match[0].rm_eo - offset)) : (256)); { void *tmpp; if (((tmpp
) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((sp)), M_SYSERR
, ((void *)0)); free(lb); } lb = tmpp; }; if (lb == ((void *)
0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen, (s + offset
), (match[0].rm_eo - offset)); lbclen += (match[0].rm_eo - offset
); };
		goto skip;
	case CH_QUIT'q':
		/* Set the quit/interrupted flags. */
654lquit:				quit = 1;
		F_SET(sp->gp, G_INTERRUPTED)(((sp->gp)->flags) |= ((0x0004)));

		/*
		 * Resolve any changes, then return to (and
		 * exit from) the main loop.
		 */
		goto endmatch;
	}
}

/*
 * Set the cursor to the last position changed, converting
 * from 1-based to 0-based.
 */
sp->lno = lno;
sp->cno = match[0].rm_so;

/* Copy the bytes before the match into the build buffer. */
BUILD(sp, s + offset, match[0].rm_so - offset){ if (lbclen + (match[0].rm_so - offset) > lblen) { lblen +=
 (((lbclen + (match[0].rm_so - offset)) > (256)) ? (lbclen
 + (match[0].rm_so - offset)) : (256)); { void *tmpp; if (((tmpp
) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((sp)), M_SYSERR
, ((void *)0)); free(lb); } lb = tmpp; }; if (lb == ((void *)
0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen, (s + offset
), (match[0].rm_so - offset)); lbclen += (match[0].rm_so - offset
); };

/* Substitute the matching bytes. */
didsub = 1;
if (re_sub(sp, s, &lb, &lbclen, &lblen, match))
	goto err;

/* Set the change flag so we know this line was modified. */
linechanged = 1;

/* Move past the matched bytes. */
684skip:		offset = match[0].rm_eo;
len = llen - match[0].rm_eo;

/* A match cannot be followed by an empty pattern. */
nempty = match[0].rm_eo;

/*
 * If doing a global change with confirmation, we have to
 * update the screen.  The basic idea is to store the line
 * so the screen update routines can find it, and restart.
 */
if (didsub && sp->c_suffix && sp->g_suffix) {
	/*
	 * The new search offset will be the end of the
	 * modified line.
	 */
	saved_offset = lbclen;

	/* Copy the rest of the line. */
	if (len)
		BUILD(sp, s + offset, len){ if (lbclen + (len) > lblen) { lblen += (((lbclen + (len)
) > (256)) ? (lbclen + (len)) : (256)); { void *tmpp; if (
((tmpp) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((
sp)), M_SYSERR, ((void *)0)); free(lb); } lb = tmpp; }; if (lb
 == ((void *)0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen
, (s + offset), (len)); lbclen += (len); }

	/* Set the new offset. */
	offset = saved_offset;

	/* Store inserted lines, adjusting the build buffer. */
	last = 0;
	if (sp->newl_cnt) {
		for (cnt = 0;
		    cnt < sp->newl_cnt; ++cnt, ++lno, ++elno) {
			if (db_insert(sp, lno,
			    lb + last, sp->newl[cnt] - last))
				goto err;
			last = sp->newl[cnt] + 1;
			++sp->rptlines[L_ADDED0];
		}
		lbclen -= last;
		offset -= last;
		sp->newl_cnt = 0;
	}

	/* Store and retrieve the line. */
	if (db_set(sp, lno, lb + last, lbclen))
		goto err;
	if (db_get(sp, lno, DBG_FATAL0x001, &s, &llen))
		goto err;
	ADD_SPACE_RET(sp, bp, blen, llen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) { (((L__gp)->flags) &= ~((0x0100))); { void *L__bincp
; if (((llen)) > (L__gp->tmp_blen)) { if ((L__bincp = binc
(((sp)), (L__gp->tmp_bp), &(L__gp->tmp_blen), ((llen
)))) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp
; } }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (
((L__gp)->flags) |= ((0x0100))); } else { void *L__bincp; if
 (((llen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp
)), &((blen)), ((llen)))) == ((void *)0)) return (1); ((bp
)) = L__bincp; } }; }
	memcpy(bp, s, llen);
	s = bp;
	len = llen - offset;

	/* Restart the build. */
	lbclen = 0;
	BUILD(sp, s, offset){ if (lbclen + (offset) > lblen) { lblen += (((lbclen + (offset
)) > (256)) ? (lbclen + (offset)) : (256)); { void *tmpp; if
 (((tmpp) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(
((sp)), M_SYSERR, ((void *)0)); free(lb); } lb = tmpp; }; if (
lb == ((void *)0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen
, (s), (offset)); lbclen += (offset); };

	/*
	 * If we haven't already done the after-the-string
	 * match, do one.  Set REG_NOTEOL so the '$' pattern
	 * only matches once.
	 */
	if (!do_eol_match)
		goto endmatch;
	if (offset == len) {
		do_eol_match = 0;
		eflags |= REG_NOTEOL00002;
	}
	goto nextmatch;
}

/*
 * If it's a global:
 *
 * If at the end of the string, do a test for the after
 * the string match.  Set REG_NOTEOL so the '$' pattern
 * only matches once.
 */
if (sp->g_suffix && do_eol_match) {
	if (len == 0) {
		do_eol_match = 0;
		eflags |= REG_NOTEOL00002;
	}
	goto nextmatch;
}

768endmatch:	if (!linechanged)
	continue;

/* Copy any remaining bytes into the build buffer. */
if (len)
	BUILD(sp, s + offset, len){ if (lbclen + (len) > lblen) { lblen += (((lbclen + (len)
) > (256)) ? (lbclen + (len)) : (256)); { void *tmpp; if (
((tmpp) = (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((
sp)), M_SYSERR, ((void *)0)); free(lb); } lb = tmpp; }; if (lb
 == ((void *)0)) { lbclen = 0; return (1); } } memcpy(lb + lbclen
, (s + offset), (len)); lbclen += (len); }

/* Store inserted lines, adjusting the build buffer. */
last = 0;
if (sp->newl_cnt) {
	for (cnt = 0;
	    cnt < sp->newl_cnt; ++cnt, ++lno, ++elno) {
		if (db_insert(sp,
		    lno, lb + last, sp->newl[cnt] - last))
			goto err;
		last = sp->newl[cnt] + 1;
		++sp->rptlines[L_ADDED0];
	}
	lbclen -= last;
	sp->newl_cnt = 0;
}

/* Store the changed line. */
if (db_set(sp, lno, lb + last, lbclen))
	goto err;

/* Update changed line counter. */
if (sp->rptlchange != lno) {
	sp->rptlchange = lno;
	++sp->rptlines[L_CHANGED1];
}

/*
 * !!!
 * Display as necessary.  Historic practice is to only
 * display the last line of a line split into multiple
 * lines.
 */
if (lflag || nflag || pflag) {
	from.lno = to.lno = lno;
	from.cno = to.cno = 0;
	if (lflag)
		(void)ex_print(sp, cmdp, &from, &to, E_C_LIST0x00400);
	if (nflag)
		(void)ex_print(sp, cmdp, &from, &to, E_C_HASH0x00200);
	if (pflag)
		(void)ex_print(sp, cmdp, &from, &to, E_C_PRINT0x01000);
}
}

/*
* !!!
* Historically, vi attempted to leave the cursor at the same place if
* the substitution was done at the current cursor position.  Otherwise
* it moved it to the first non-blank of the last line changed.  There
* were some problems: for example, :s/$/foo/ with the cursor on the
* last character of the line left the cursor on the last character, or
* the & command with multiple occurrences of the matching string in the
* line usually left the cursor in a fairly random position.
*
* We try to do the same thing, with the exception that if the user is
* doing substitution with confirmation, we move to the last line about
* which the user was consulted, as opposed to the last line that they
* actually changed.  This prevents a screen flash if the user doesn't
* change many of the possible lines.
*/
if (!sp->c_suffix && (sp->lno != slno || sp->cno != scno)) {
sp->cno = 0;
(void)nonblank(sp, sp->lno, &sp->cno);
}

/*
* If not in a global command, and nothing matched, say so.
* Else, if none of the lines displayed, put something up.
*/
rval = 0;
if (!matched) {
if (!F_ISSET(sp, SC_EX_GLOBAL)(((sp)->flags) & ((0x00020000)))) {
	msgq(sp, M_ERR, "No match found");
	goto err;
}
} else if (!lflag && !nflag && !pflag)
F_SET(cmdp, E_AUTOPRINT)(((cmdp)->flags) |= ((0x00000040)));

if (0) {
853err:		rval = 1;
}

if (bp != NULL((void *)0))
FREE_SPACE(sp, bp, blen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (bp) == L__gp->tmp_bp
) (((L__gp)->flags) &= ~((0x0100))); else free(bp); };
free(lb);
return (rval);
860}

862/*
* re_compile --
*	Compile the RE.
*
* PUBLIC: int re_compile(SCR *,
* PUBLIC:     char *, size_t, char **, size_t *, regex_t *, u_int);
*/
869int
870re_compile(SCR *sp, char *ptrn, size_t plen, char **ptrnp, size_t *lenp,
  regex_t *rep, u_int flags)
872{
size_t len;
int reflags, replaced, rval;
char *p;

/* Set RE flags. */
reflags = 0;
if (!LF_ISSET(RE_C_TAG)((flags) & ((0x0010)))) {
if (O_ISSET(sp, O_EXTENDED)((((&(((sp)))->opts[(((O_EXTENDED)))])->flags) &
 ((0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_EXTENDED
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_EXTENDED))
)].o_cur.val))
	reflags |= REG_EXTENDED0001;
if (O_ISSET(sp, O_IGNORECASE)((((&(((sp)))->opts[(((O_IGNORECASE)))])->flags) &
 ((0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_IGNORECASE
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_IGNORECASE
)))].o_cur.val))
	reflags |= REG_ICASE0002;
if (O_ISSET(sp, O_ICLOWER)((((&(((sp)))->opts[(((O_ICLOWER)))])->flags) &
 ((0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_ICLOWER
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_ICLOWER)))
].o_cur.val)) {
	for (p = ptrn, len = plen; len > 0; ++p, --len)
		if (isupper(*p))
			break;
	if (len == 0)
		reflags |= REG_ICASE0002;
}
}

/* If we're replacing a saved value, clear the old one. */
if (LF_ISSET(RE_C_SEARCH)((flags) & ((0x0002))) && F_ISSET(sp, SC_RE_SEARCH)(((sp)->flags) & ((0x00400000)))) {
regfree(&sp->re_c);
F_CLR(sp, SC_RE_SEARCH)(((sp)->flags) &= ~((0x00400000)));
}
if (LF_ISSET(RE_C_SUBST)((flags) & ((0x0008))) && F_ISSET(sp, SC_RE_SUBST)(((sp)->flags) & ((0x00800000)))) {
regfree(&sp->subre_c);
F_CLR(sp, SC_RE_SUBST)(((sp)->flags) &= ~((0x00800000)));
}

/*
* If we're saving the string, it's a pattern we haven't seen before,
* so convert the vi-style RE's to POSIX 1003.2 RE's.  Save a copy for
* later recompilation.   Free any previously saved value.
*/
if (ptrnp != NULL((void *)0)) {
if (LF_ISSET(RE_C_TAG)((flags) & ((0x0010)))) {
	if (re_tag_conv(sp, &ptrn, &plen, &replaced))
		return (1);
} else
	if (re_conv(sp, &ptrn, &plen, &replaced))
		return (1);

/* Discard previous pattern. */
free(*ptrnp);
*ptrnp = NULL((void *)0);
if (lenp != NULL((void *)0))
	*lenp = plen;

/*
 * Copy the string into allocated memory.
 *
 * XXX
 * Regcomp isn't 8-bit clean, so the pattern is nul-terminated
 * for now.  There's just no other solution.  
 */
MALLOC(sp, *ptrnp, plen + 1){ if (((*ptrnp) = malloc(plen + 1)) == ((void *)0)) msgq((sp)
, M_SYSERR, ((void *)0)); };
if (*ptrnp != NULL((void *)0)) {
	memcpy(*ptrnp, ptrn, plen);
	(*ptrnp)[plen] = '\0';
}

/* Free up conversion-routine-allocated memory. */
if (replaced)
	FREE_SPACE(sp, ptrn, 0){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp != ((void *)0) && (ptrn) == L__gp->tmp_bp
) (((L__gp)->flags) &= ~((0x0100))); else free(ptrn); };

if (*ptrnp == NULL((void *)0))
	return (1);

ptrn = *ptrnp;
}

/*
* XXX
* Regcomp isn't 8-bit clean, so we just lost if the pattern
* contained a nul.  Bummer!
*/
if ((rval = regcomp(rep, ptrn, /* plen, */ reflags)) != 0) {
if (!LF_ISSET(RE_C_SILENT)((flags) & ((0x0004))))
	re_error(sp, rval, rep); 
return (1);
}

if (LF_ISSET(RE_C_SEARCH)((flags) & ((0x0002))))
F_SET(sp, SC_RE_SEARCH)(((sp)->flags) |= ((0x00400000)));
if (LF_ISSET(RE_C_SUBST)((flags) & ((0x0008))))
F_SET(sp, SC_RE_SUBST)(((sp)->flags) |= ((0x00800000)));

return (0);
962}

964/*
* re_conv --
*	Convert vi's regular expressions into something that the
*	the POSIX 1003.2 RE functions can handle.
*
* There are two conversions we make to make vi's RE's (specifically
* the global, search, and substitute patterns) work with POSIX RE's.
* We assume that \<ptrn\> does "word" searches, which is non-standard
* but supported by most regexp libraries..
*
* 1: If O_MAGIC is not set, strip backslashes from the magic character
*    set (.[*~) that have them, and add them to the ones that don't.
* 2: If O_MAGIC is not set, the string "\~" is replaced with the text
*    from the last substitute command's replacement string.  If O_MAGIC
*    is set, it's the string "~".
*
* !!!/XXX
* This doesn't exactly match the historic behavior of vi because we do
* the ~ substitution before calling the RE engine, so magic characters
* in the replacement string will be expanded by the RE engine, and they
* weren't historically.  It's a bug.
*/
986static int
987re_conv(SCR *sp, char **ptrnp, size_t *plenp, int *replacedp)
988{
size_t blen, len, needlen;
int magic;
char *bp, *p, *t;

/*
* First pass through, we figure out how much space we'll need.
* We do it in two passes, on the grounds that most of the time
* the user is doing a search and won't have magic characters.
* That way we can skip most of the memory allocation and copies.
*/
magic = 0;
for (p = *ptrnp, len = *plenp, needlen = 0; len > 0; ++p, --len)
switch (*p) {
case '\\':
	if (len > 1) {
		--len;
		switch (*++p) {
		case '~':
			if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
				magic = 1;
				needlen += sp->repl_len;
			}
			break;
		case '.':
		case '[':
		case '*':
			if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
				magic = 1;
				needlen += 1;
			}
			break;
		default:
			needlen += 2;
		}
	} else
		needlen += 1;
	break;
case '~':
	if (O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
		magic = 1;
		needlen += sp->repl_len;
	}
	break;
case '.':
case '[':
case '*':
	if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
		magic = 1;
		needlen += 2;
	}
	break;
default:
	needlen += 1;
	break;
}

if (!magic) {
*replacedp = 0;
return (0);
}

/* Get enough memory to hold the final pattern. */
*replacedp = 1;
GET_SPACE_RET(sp, bp, blen, needlen){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((needlen)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp
)), &((blen)), ((needlen)))) == ((void *)0)) return (1); (
(bp)) = L__bincp; } }; } else { { void *L__bincp; if (((needlen
)) > (L__gp->tmp_blen)) { if ((L__bincp = binc(((sp)), (
L__gp->tmp_bp), &(L__gp->tmp_blen), ((needlen)))) ==
 ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp; } };
 (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (((L__gp
)->flags) |= ((0x0100))); } };

for (p = *ptrnp, len = *plenp, t = bp; len > 0; ++p, --len)
switch (*p) {
case '\\':
	if (len > 1) {
		--len;
		switch (*++p) {
		case '~':
			if (O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val))
				*t++ = '~';
			else {
				memcpy(t,
				    sp->repl, sp->repl_len);
				t += sp->repl_len;
			}
			break;
		case '.':
		case '[':
		case '*':
			if (O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val))
				*t++ = '\\';
			*t++ = *p;
			break;
		default:
			*t++ = '\\';
			*t++ = *p;
		}
	} else
		*t++ = '\\';
	break;
case '~':
	if (O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
		memcpy(t, sp->repl, sp->repl_len);
		t += sp->repl_len;
	} else
		*t++ = '~';
	break;
case '.':
case '[':
case '*':
	if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val))
		*t++ = '\\';
	*t++ = *p;
	break;
default:
	*t++ = *p;
	break;
}

*ptrnp = bp;
*plenp = t - bp;
return (0);
1105}

1107/*
* re_tag_conv --
*	Convert a tags search path into something that the POSIX
*	1003.2 RE functions can handle.
*/
1112static int
1113re_tag_conv(SCR *sp, char **ptrnp, size_t *plenp, int *replacedp)
1114{
size_t blen, len;
int lastdollar;
char *bp, *p, *t;

len = *plenp;

/* Max memory usage is 2 times the length of the string. */
*replacedp = 1;
GET_SPACE_RET(sp, bp, blen, len * 2){ GS *L__gp = (sp) == ((void *)0) ? ((void *)0) : (sp)->gp
; if (L__gp == ((void *)0) || (((L__gp)->flags) & ((0x0100
)))) { (bp) = ((void *)0); (blen) = 0; { void *L__bincp; if (
((len * 2)) > ((blen))) { if ((L__bincp = binc(((sp)), ((bp
)), &((blen)), ((len * 2)))) == ((void *)0)) return (1); (
(bp)) = L__bincp; } }; } else { { void *L__bincp; if (((len *
 2)) > (L__gp->tmp_blen)) { if ((L__bincp = binc(((sp))
, (L__gp->tmp_bp), &(L__gp->tmp_blen), ((len * 2)))
) == ((void *)0)) return (1); (L__gp->tmp_bp) = L__bincp; }
 }; (bp) = L__gp->tmp_bp; (blen) = L__gp->tmp_blen; (((
L__gp)->flags) |= ((0x0100))); } };

p = *ptrnp;
t = bp;

/* If the last character is a '/' or '?', we just strip it. */
if (len > 0 && (p[len - 1] == '/' || p[len - 1] == '?'))
--len;

/* If the next-to-last or last character is a '$', it's magic. */
if (len > 0 && p[len - 1] == '$') {
--len;
lastdollar = 1;
} else
lastdollar = 0;

/* If the first character is a '/' or '?', we just strip it. */
if (len > 0 && (p[0] == '/' || p[0] == '?')) {
++p;
--len;
}

/* If the first or second character is a '^', it's magic. */
if (p[0] == '^') {
*t++ = *p++;
--len;
}

/*
* Escape every other magic character we can find, meanwhile stripping
* the backslashes ctags inserts when escaping the search delimiter
* characters.
*/
for (; len > 0; --len) {
if (p[0] == '\\' && (p[1] == '/' || p[1] == '?')) {
	++p;
	--len;
} else if (strchr("^.[]$*", p[0]))
	*t++ = '\\';
*t++ = *p++;
if (len == 0)
	break;
}
if (lastdollar)
*t++ = '$';

*ptrnp = bp;
*plenp = t - bp;
return (0);
1172}

1174/*
* re_error --
*	Report a regular expression error.
*
* PUBLIC: void re_error(SCR *, int, regex_t *);
*/
1180void
1181re_error(SCR *sp, int errcode, regex_t *preg)
1182{
size_t s;
char *oe;

s = regerror(errcode, preg, "", 0);
if ((oe = malloc(s)) == NULL((void *)0))
msgq(sp, M_SYSERR, NULL((void *)0));
else {
(void)regerror(errcode, preg, oe, s);
msgq(sp, M_ERR, "RE error: %s", oe);
free(oe);
}
1194}

1196/*
* re_sub --
* 	Do the substitution for a regular expression.
*/
1200static int
1201re_sub(SCR *sp, char *ip, char **lbp, size_t *lbclenp, size_t *lblenp,
  regmatch_t match[10])
1203{
enum { C_NOTSET, C_LOWER, C_ONELOWER, C_ONEUPPER, C_UPPER } conv;
size_t lbclen, lblen;		/* Local copies. */
size_t mlen;			/* Match length. */
size_t rpl;			/* Remaining replacement length. */
char *rp;			/* Replacement pointer. */
int ch;
int no;				/* Match replacement offset. */
char *p, *t;			/* Buffer pointers. */
char *lb;			/* Local copies. */

lb = *lbp;			/* Get local copies. */
lbclen = *lbclenp;
lblen = *lblenp;

/*
* QUOTING NOTE:
*
* There are some special sequences that vi provides in the
* replacement patterns.
*	 & string the RE matched (\& if nomagic set)
*	\# n-th regular subexpression
*	\E end \U, \L conversion
*	\e end \U, \L conversion
*	\l convert the next character to lower-case
*	\L convert to lower-case, until \E, \e, or end of replacement
*	\u convert the next character to upper-case
*	\U convert to upper-case, until \E, \e, or end of replacement
*
* Otherwise, since this is the lowest level of replacement, discard
* all escaping characters.  This (hopefully) matches historic practice.
*/
1235#define	OUTCH(ch, nltrans){ CHAR_T __ch = (ch); u_int __value = ((unsigned char)(__ch) <=
? (sp)->gp->special_key[(unsigned char)(__ch)] : (
unsigned char)(__ch) > (sp)->gp->max_special ? 0 : v_key_val
((sp),(__ch))); if ((nltrans) && (__value == K_CR || __value
 == K_NL)) { { if ((sp)->newl_len == (sp)->newl_cnt) { (
sp)->newl_len += 25; { void *tmpp; if (((tmpp) = (reallocarray
(((sp)->newl), ((sp)->newl_len), (sizeof(size_t))))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free((sp
)->newl); } (sp)->newl = tmpp; }; if ((sp)->newl == (
(void *)0)) { (sp)->newl_len = 0; return (1); } } }; sp->
newl[sp->newl_cnt++] = lbclen; } else if (conv != C_NOTSET
) { switch (conv) { case C_ONELOWER: conv = C_NOTSET; case C_LOWER
: if (isupper(__ch)) __ch = tolower(__ch); break; case C_ONEUPPER
: conv = C_NOTSET; case C_UPPER: if (islower(__ch)) __ch = toupper
(__ch); break; default: abort(); } } { if (lbclen + (1) > lblen
) { lblen += (((lbclen + (1)) > (256)) ? (lbclen + (1)) : (
256)); { void *tmpp; if (((tmpp) = (realloc((lb), (lblen)))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free(lb)
; } lb = tmpp; }; if (lb == ((void *)0)) { lbclen = 0; return
 (1); } (p) = lb + lbclen; } }; *p++ = __ch; ++lbclen; } {						\
CHAR_T __ch = (ch);						\
u_int __value = KEY_VAL(sp, __ch)((unsigned char)(__ch) <= 254 ? (sp)->gp->special_key
[(unsigned char)(__ch)] : (unsigned char)(__ch) > (sp)->
gp->max_special ? 0 : v_key_val((sp),(__ch)));				\
if ((nltrans) && (__value == K_CR || __value == K_NL)) {	\
NEEDNEWLINE(sp){ if ((sp)->newl_len == (sp)->newl_cnt) { (sp)->newl_len
 += 25; { void *tmpp; if (((tmpp) = (reallocarray(((sp)->newl
), ((sp)->newl_len), (sizeof(size_t))))) == ((void *)0)) {
 msgq(((sp)), M_SYSERR, ((void *)0)); free((sp)->newl); } (
sp)->newl = tmpp; }; if ((sp)->newl == ((void *)0)) { (
sp)->newl_len = 0; return (1); } } };					\
sp->newl[sp->newl_cnt++] = lbclen;			\
} else if (conv != C_NOTSET) {					\
switch (conv) {						\
case C_ONELOWER:					\
	conv = C_NOTSET;				\
	/* FALLTHROUGH */				\
case C_LOWER:						\
	if (isupper(__ch))				\
		__ch = tolower(__ch);			\
	break;						\
case C_ONEUPPER:					\
	conv = C_NOTSET;				\
	/* FALLTHROUGH */				\
case C_UPPER:						\
	if (islower(__ch))				\
		__ch = toupper(__ch);			\
	break;						\
default:						\
	abort();					\
}							\
}								\
NEEDSP(sp, 1, p){ if (lbclen + (1) > lblen) { lblen += (((lbclen + (1)) >
 (256)) ? (lbclen + (1)) : (256)); { void *tmpp; if (((tmpp) =
 (realloc((lb), (lblen)))) == ((void *)0)) { msgq(((sp)), M_SYSERR
, ((void *)0)); free(lb); } lb = tmpp; }; if (lb == ((void *)
0)) { lbclen = 0; return (1); } (p) = lb + lbclen; } };						\
*p++ = __ch;							\
++lbclen;							\
1264}
conv = C_NOTSET;
for (rp = sp->repl, rpl = sp->repl_len, p = lb + lbclen; rpl--;) {
switch (ch = *rp++) {
case '&':
	if (O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
		no = 0;
		goto subzero;
	}
	break;
case '\\':
	if (rpl == 0)
		break;
	--rpl;
	switch (ch = *rp) {
	case '&':
		++rp;
		if (!O_ISSET(sp, O_MAGIC)((((&(((sp)))->opts[(((O_MAGIC)))])->flags) & (
(0x01))) ? (((sp)))->gp->opts[(((sp)))->opts[(((O_MAGIC
)))].o_cur.val].o_cur.val : (((sp)))->opts[(((O_MAGIC)))].
o_cur.val)) {
			no = 0;
			goto subzero;
		}
		break;
	case '0': case '1': case '2': case '3': case '4':
	case '5': case '6': case '7': case '8': case '9':
		no = *rp++ - '0';
1289subzero:			if (match[no].rm_so == -1 ||
	    	    match[no].rm_eo == -1)
			break;
		mlen = match[no].rm_eo - match[no].rm_so;
		for (t = ip + match[no].rm_so; mlen--; ++t)
			OUTCH(*t, 0){ CHAR_T __ch = (*t); u_int __value = ((unsigned char)(__ch) <=
? (sp)->gp->special_key[(unsigned char)(__ch)] : (
unsigned char)(__ch) > (sp)->gp->max_special ? 0 : v_key_val
((sp),(__ch))); if ((0) && (__value == K_CR || __value
 == K_NL)) { { if ((sp)->newl_len == (sp)->newl_cnt) { (
sp)->newl_len += 25; { void *tmpp; if (((tmpp) = (reallocarray
(((sp)->newl), ((sp)->newl_len), (sizeof(size_t))))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free((sp
)->newl); } (sp)->newl = tmpp; }; if ((sp)->newl == (
(void *)0)) { (sp)->newl_len = 0; return (1); } } }; sp->
newl[sp->newl_cnt++] = lbclen; } else if (conv != C_NOTSET
) { switch (conv) { case C_ONELOWER: conv = C_NOTSET; case C_LOWER
: if (isupper(__ch)) __ch = tolower(__ch); break; case C_ONEUPPER
: conv = C_NOTSET; case C_UPPER: if (islower(__ch)) __ch = toupper
(__ch); break; default: abort(); } } { if (lbclen + (1) > lblen
) { lblen += (((lbclen + (1)) > (256)) ? (lbclen + (1)) : (
256)); { void *tmpp; if (((tmpp) = (realloc((lb), (lblen)))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free(lb)
; } lb = tmpp; }; if (lb == ((void *)0)) { lbclen = 0; return
 (1); } (p) = lb + lbclen; } }; *p++ = __ch; ++lbclen; };
		continue;
	case 'e':
	case 'E':
		++rp;
		conv = C_NOTSET;
		continue;
	case 'l':
		++rp;
		conv = C_ONELOWER;
		continue;
	case 'L':
		++rp;
		conv = C_LOWER;
		continue;
	case 'u':
		++rp;
		conv = C_ONEUPPER;
		continue;
	case 'U':
		++rp;
		conv = C_UPPER;
		continue;
	default:
		++rp;
		break;
	}
}
OUTCH(ch, 1){ CHAR_T __ch = (ch); u_int __value = ((unsigned char)(__ch) <=
? (sp)->gp->special_key[(unsigned char)(__ch)] : (
unsigned char)(__ch) > (sp)->gp->max_special ? 0 : v_key_val
((sp),(__ch))); if ((1) && (__value == K_CR || __value
 == K_NL)) { { if ((sp)->newl_len == (sp)->newl_cnt) { (
sp)->newl_len += 25; { void *tmpp; if (((tmpp) = (reallocarray
(((sp)->newl), ((sp)->newl_len), (sizeof(size_t))))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free((sp
)->newl); } (sp)->newl = tmpp; }; if ((sp)->newl == (
(void *)0)) { (sp)->newl_len = 0; return (1); } } }; sp->
newl[sp->newl_cnt++] = lbclen; } else if (conv != C_NOTSET
) { switch (conv) { case C_ONELOWER: conv = C_NOTSET; case C_LOWER
: if (isupper(__ch)) __ch = tolower(__ch); break; case C_ONEUPPER
: conv = C_NOTSET; case C_UPPER: if (islower(__ch)) __ch = toupper
(__ch); break; default: abort(); } } { if (lbclen + (1) > lblen
) { lblen += (((lbclen + (1)) > (256)) ? (lbclen + (1)) : (
256)); { void *tmpp; if (((tmpp) = (realloc((lb), (lblen)))) ==
 ((void *)0)) { msgq(((sp)), M_SYSERR, ((void *)0)); free(lb)
; } lb = tmpp; }; if (lb == ((void *)0)) { lbclen = 0; return
 (1); } (p) = lb + lbclen; } }; *p++ = __ch; ++lbclen; };
}

*lbp = lb;			/* Update caller's information. */
*lbclenp = lbclen;
*lblenp = lblen;
return (0);
1329}