rw_match can address to memory after end of string buffer

[Farid Zaripov]

  I found that the rw_match function can address to the memory after 
the end of the string buffer.

  It calls __rw_get_char to get the last character and this function 
reads a character after the end of the string buffer:

char.cpp line 534:
    if ('<' == char (ch) && 'U' == src [0] && isxdigit (src [1])) {

char.cpp line 548:
    if ('@' == src [0] && isdigit (src [1])) { 


  src [0] - is the place of the fail.

  I attached the test to illustrate this problem, but it will work on 
MSVC/Windows platform only (used MSVC specific keywords).

Farid.
#include <excpt.h>      // for EXCEPTION_EXECUTE_HANDLER

#include <cstring>      // for memset ()
#include <cassert>      // for assert ()

#include <rw_char.h>    // for rw_match ()

const size_t PAGE_SIZE = 4096;

#pragma section("fail", read, write)

__declspec(allocate("fail"))
char fail[PAGE_SIZE];

bool do_test()
{
    bool success = true;

    __try
    {
        assert (sizeof(fail) == rw_match (fail, fail, sizeof(fail)));
    }
    __except (EXCEPTION_EXECUTE_HANDLER)
    {
        success = false;
    }

    return success;
}

int main (int argc, char *argv[])
{
    std::memset (fail, ' ', sizeof(fail));
    assert (do_test ());

    std::memset (fail, '<', sizeof(fail));
    assert (do_test ());

    return 0;
}