diff options
| author | John Lightsey <john@04755.net> | 2020-08-28 23:39:18 -0500 |
|---|---|---|
| committer | Steve Hay <steve.m.hay@googlemail.com> | 2020-12-26 15:18:23 +0000 |
| commit | e744a81b1cb8f9a3df9a4cd784cb2b74d256441a (patch) | |
| tree | 137286875562315807d3e91ac169104145f19ef1 | |
| parent | 13ff09012aabaced8a0a0fab40f3c3db32673922 (diff) | |
| download | perl-e744a81b1cb8f9a3df9a4cd784cb2b74d256441a.tar.gz | |
Heap buffer overflow in regex bracket group whitespace handling
The code for skipping whitespace in regex bracket character groups
was walking past the end of the regex in some cases.
(cherry picked from commit 90f66c42e4513ae5d907805fbf28b9967a90d6c5)
| -rw-r--r-- | regcomp.c | 16 |
1 files changed, 8 insertions, 8 deletions
@@ -17252,10 +17252,10 @@ S_add_multi_match(pTHX_ AV* multi_char_matches, SV* multi_string, const STRLEN c * * There is a line below that uses the same white space criteria but is outside * this macro. Both here and there must use the same definition */ -#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p) \ +#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p, stop_p) \ STMT_START { \ if (do_skip) { \ - while (isBLANK_A(UCHARAT(p))) \ + while (p < stop_p && isBLANK_A(UCHARAT(p))) \ { \ p++; \ } \ @@ -17431,7 +17431,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, initial_listsv_len = SvCUR(listsv); SvTEMP_off(listsv); /* Grr, TEMPs and mortals are conflated. */ - SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse); + SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end); assert(RExC_parse <= RExC_end); @@ -17440,7 +17440,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, invert = TRUE; allow_mutiple_chars = FALSE; MARK_NAUGHTY(1); - SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse); + SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end); } /* Check that they didn't say [:posix:] instead of [[:posix:]] */ @@ -17487,12 +17487,12 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, output_posix_warnings(pRExC_state, posix_warnings); } + SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end); + if (RExC_parse >= stop_ptr) { break; } - SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse); - if (UCHARAT(RExC_parse) == ']') { break; } @@ -18181,7 +18181,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, } } /* end of namedclass \blah */ - SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse); + SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end); /* If 'range' is set, 'value' is the ending of a range--check its * validity. (If value isn't a single code point in the case of a @@ -18224,7 +18224,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, char* next_char_ptr = RExC_parse + 1; /* Get the next real char after the '-' */ - SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr); + SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr, RExC_end); /* If the '-' is at the end of the class (just before the ']', * it is a literal minus; otherwise it is a range */ |