diff options
author | Jarkko Hietaniemi <jhi@iki.fi> | 2014-04-21 21:43:12 -0400 |
---|---|---|
committer | Tony Cook <tony@develop-help.com> | 2014-04-30 09:58:53 +1000 |
commit | adc2d0c9de764f1cb892860df8ecc93dc8909b39 (patch) | |
tree | ecfc5cba6fc7d278683dd9d8d8cd2b6970a44471 /regcomp.c | |
parent | 2a600bb8f7c0d6b36cb37c899b6c9e82537ec394 (diff) | |
download | perl-adc2d0c9de764f1cb892860df8ecc93dc8909b39.tar.gz |
Fix for Coverity perl5 CID 29034: Out-of-bounds read (OVERRUN) overrun-local: Overrunning array PL_reg_intflags name of 14 8-byte elements at element index 31 (byte offset 248) using index bit (which evaluates to 31).
Needed compile-time limits for the PL_reg_intflags_name so that the
bit loop doesn't waltz off past the array. Could not use C_ARRAY_LENGTH
because the size of name array is not visible during compile time
(only const char*[] is), so modified regcomp.pl to generate the size,
made it visible only under DEBUGGING. Did extflags analogously
even though its size currently exactly 32 already. The sizeof(flags)*8
is extra paranoia for ILP64.
Diffstat (limited to 'regcomp.c')
-rw-r--r-- | regcomp.c | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -15365,7 +15365,9 @@ S_regdump_intflags(pTHX_ const char *lead, const U32 flags) int bit; int set=0; - for (bit=0; bit<32; bit++) { + ASSUME(REG_INTFLAGS_NAME_SIZE <= sizeof(flags)*8); + + for (bit=0; bit<REG_INTFLAGS_NAME_SIZE; bit++) { if (flags & (1<<bit)) { if (!set++ && lead) PerlIO_printf(Perl_debug_log, "%s",lead); @@ -15387,7 +15389,9 @@ S_regdump_extflags(pTHX_ const char *lead, const U32 flags) int set=0; regex_charset cs; - for (bit=0; bit<32; bit++) { + ASSUME(REG_EXTFLAGS_NAME_SIZE <= sizeof(flags)*8); + + for (bit=0; bit<REG_EXTFLAGS_NAME_SIZE; bit++) { if (flags & (1<<bit)) { if ((1<<bit) & RXf_PMf_CHARSET) { /* Output separately, below */ continue; |