diff options
| author | Karl Williamson <khw@cpan.org> | 2019-08-24 19:17:19 -0600 |
|---|---|---|
| committer | Steve Hay <steve.m.hay@googlemail.com> | 2019-10-21 12:43:00 +0100 |
| commit | 4c5cad97bc65b21a443374b696d584d48abf4bd1 (patch) | |
| tree | de1c5c8a180acae7894a86f4a3918976ba57e8c2 | |
| parent | 4c4afdce4248c62a4372ba2a46b14272a60b5a90 (diff) | |
| download | perl-4c5cad97bc65b21a443374b696d584d48abf4bd1.tar.gz | |
PATCH: [perl #134325] Heap buffer overflow
This was the result of trying to continue to parse after realizing that
we were going to have to reparse using long jumps. This continuing only
happened when we realized we were going to have to reparse in order to
count parentheses anyway, and it was an attempt to save a pass in the
regex compiler, as without doing the continuing we'd restart the parse
to use long jumps from the beginning, and then when finished, would
restart the parse to count the parentheses.
However, in most cases this doesn't help, as when we get towards the end
of the parse (as in the test case in this ticket), we need the long
jump, and will segfault because we don't have it. So we need the extra
pass anyway.
So this commit restarts the parse as soon as we discover we are going to
need longjumps
(cherry picked from commit 439a3bfe85749ea9eca31372daec5705acaa3db1)
| -rw-r--r-- | regcomp.c | 8 | ||||
| -rw-r--r-- | t/re/pat.t | 14 |
2 files changed, 14 insertions, 8 deletions
@@ -369,12 +369,8 @@ struct RExC_state_t { #define REQUIRE_BRANCHJ(flagp, restart_retval) \ STMT_START { \ RExC_use_BRANCHJ = 1; \ - if (LIKELY(! IN_PARENS_PASS)) { \ - /* No need to restart the parse immediately if we're \ - * going to reparse anyway to count parens */ \ - *flagp |= RESTART_PARSE; \ - return restart_retval; \ - } \ + *flagp |= RESTART_PARSE; \ + return restart_retval; \ } STMT_END /* Until we have completed the parse, we leave RExC_total_parens at 0 or diff --git a/t/re/pat.t b/t/re/pat.t index e54affcd94..6a868f4bcd 100644 --- a/t/re/pat.t +++ b/t/re/pat.t @@ -25,7 +25,7 @@ BEGIN { skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader; skip_all_without_unicode_tables(); -plan tests => 863; # Update this when adding/deleting tests. +plan tests => 864; # Update this when adding/deleting tests. run_tests() unless caller; @@ -33,7 +33,6 @@ run_tests() unless caller; # Tests start here. # sub run_tests { - my $sharp_s = uni_to_native("\xdf"); { @@ -2105,6 +2104,17 @@ x{0c!}\;\;îçÿ eval $z;:, "", {}, 'foo'); } + { # [perl #134325] + my $quote="\\Q"; + my $back="\\\\"; + my $ff="\xff"; + my $s = sprintf "/\\1|(|%s)%s%s /i", + $quote x 8 . $back x 69, + $quote x 5 . $back x 4, + $ff x 48; + like(runperl(prog => "$s", stderr => 1), qr/Unmatched \(/); + } + } # End of sub run_tests 1; |