avoid use-after free in /(?{...})/

RT #134208 In something like eval { sub { " " }->() =~ /(?{ die })/ } When the match string gets aliased to $_, the SAVE_DEFSV is done after the SAVEDESTRUCTOR_X(S_cleanup_regmatch_info_aux). So if croaking, the SV gets SvREFCNT_dec()ed by the SAVE_DEFSV, then S_cleanup_regmatch_info_aux() manipulates the SV's magic. This doesn't cause a problem unless the match string is temporary, in which case the only other reference keeping it alive will be removed by the FREETMPs during the croak. The fix is to make sure an extra ref to the sv is held.
author: David Mitchell <davem@iabyn.com> 2019-06-19 13:03:22 +0100
committer: David Mitchell <davem@iabyn.com> 2019-08-06 15:21:15 +0100
commit: 1d48e83dd8863e78e8422ed502d9b2f3199193f5 (patch)
tree: 9aa557ddb1d04d714383cf8d14243ad8f672036d /regexp.h
parent: 1d84a25665013f389ffc6fad7dd133f1c6287a08 (diff)
download: perl-1d48e83dd8863e78e8422ed502d9b2f3199193f5.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/regexp.h b/regexp.h
index 0f35205e1a..ccbc64a009 100644
--- a/regexp.h
+++ b/regexp.h
@@ -658,6 +658,7 @@ typedef struct {
     STRLEN  sublen;     /* saved sublen     field from rex */
     STRLEN  suboffset;  /* saved suboffset  field from rex */
     STRLEN  subcoffset; /* saved subcoffset field from rex */
+    SV      *sv;        /* $_  during (?{}) */
     MAGIC   *pos_magic; /* pos() magic attached to $_ */
     SSize_t pos;        /* the original value of pos() in pos_magic */
     U8      pos_flags;  /* flags to be restored; currently only MGf_BYTES*/
author	David Mitchell <davem@iabyn.com>	2019-06-19 13:03:22 +0100
committer	David Mitchell <davem@iabyn.com>	2019-08-06 15:21:15 +0100
commit	1d48e83dd8863e78e8422ed502d9b2f3199193f5 (patch)
tree	9aa557ddb1d04d714383cf8d14243ad8f672036d /regexp.h
parent	1d84a25665013f389ffc6fad7dd133f1c6287a08 (diff)
download	perl-1d48e83dd8863e78e8422ed502d9b2f3199193f5.tar.gz