summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorKarl Williamson <khw@cpan.org>2019-02-16 11:11:59 -0700
committerKarl Williamson <khw@cpan.org>2019-02-16 11:21:51 -0700
commitc2d81cfd08d9a622c639058cd7eb870aa0991937 (patch)
tree8426ad3e58fbdddecab7aea51ee7a462a0ed82e4
parent75451d8cc625c69a543f2bacf2312d369f8855ae (diff)
downloadperl-c2d81cfd08d9a622c639058cd7eb870aa0991937.tar.gz
PATCH: [perl #133770] null pointer dereference in S_regclass()
The failing case can be reduced to qr/\x{100}[\x{3030}\x{1fb2}/ (It only happens on UTF-8 patterns). The bottom line is that it was assuming that there was at least one character that folded to 1fb2 besides itself, even though the function call said there weren't any such. The solution is to pay attention to the function return value. I incorporated Hugo's++ patch as part of this one. However, the original test case should never have gotten this far. The parser is getting passed garbage, and instead of croaking, it is somehow interpreting it as valid and calling the regex compiler. I will file a ticket about that.
-rw-r--r--regcomp.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/regcomp.c b/regcomp.c
index 387126e94f..fffacc63f7 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -18410,10 +18410,12 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
* inversion list, making sure everything is included. */
fold_list = add_cp_to_invlist(fold_list, start[0]);
fold_list = add_cp_to_invlist(fold_list, folded);
- fold_list = add_cp_to_invlist(fold_list, first_fold);
- for (i = 0; i < folds_to_this_cp_count - 1; i++) {
- fold_list = add_cp_to_invlist(fold_list,
+ if (folds_to_this_cp_count > 0) {
+ fold_list = add_cp_to_invlist(fold_list, first_fold);
+ for (i = 0; i + 1 < folds_to_this_cp_count; i++) {
+ fold_list = add_cp_to_invlist(fold_list,
remaining_folds[i]);
+ }
}
/* If the fold list is identical to what's in this ANYOF