diff options
| author | Tony Cook <tony@develop-help.com> | 2016-03-07 14:58:38 +1100 |
|---|---|---|
| committer | Tony Cook <tony@develop-help.com> | 2016-03-07 14:58:38 +1100 |
| commit | 2dc40b2d7c20b0d31c4343ac23cda9799f234a65 (patch) | |
| tree | 6e7027c9da0eadbcf1633932ad9a056161a8e24a | |
| parent | 2aade621bf201fa22109ff80547965dc87cfe466 (diff) | |
| download | perl-2dc40b2d7c20b0d31c4343ac23cda9799f234a65.tar.gz | |
avoid reading/writing beyond the end of RExC_(open|close)_parens
Partly reverts d5a00e4af, which added this change:
- for ( paren=0 ; paren < RExC_npar ; paren++ ) {
+ for ( paren=0 ; paren <= RExC_npar ; paren++ ) {
but RExC_(open|close)_parens are both allocated with RExC_npar entries,
making this a read/write buffer overflow.
This caused crashes during the build with GCC on Win32, and was
detectable with valgrind and -fsanitize=address on Linux.
With the change, passes all tests with -fsanitize=address -DDEBUGGING
on Linux and finishes the build with GCC on Win32.
| -rw-r--r-- | regcomp.c | 2 |
1 files changed, 1 insertions, 1 deletions
@@ -18214,7 +18214,7 @@ S_reginsert(pTHX_ RExC_state_t *pRExC_state, U8 op, regnode *opnd, U32 depth) if (RExC_open_parens) { int paren; /*DEBUG_PARSE_FMT("inst"," - %"IVdf, (IV)RExC_npar);*/ - for ( paren=0 ; paren <= RExC_npar ; paren++ ) { + for ( paren=0 ; paren < RExC_npar ; paren++ ) { if ( RExC_open_parens[paren] >= opnd ) { /*DEBUG_PARSE_FMT("open"," - %d",size);*/ RExC_open_parens[paren] += size; |