summaryrefslogtreecommitdiff
path: root/t/re
diff options
context:
space:
mode:
authorHugo van der Sanden <hv@crypt.org>2020-04-28 18:52:44 +0100
committerSteve Hay <steve.m.hay@googlemail.com>2020-06-01 20:35:51 +0100
commit3a1df45e827a79d14694d18dd0141c09a0abfe5c (patch)
treedd73e954d63fe07d1c7a785dac9d022d9ccaa45b /t/re
parent0e9563b9242a5758c6ce11daf8385b3753e9ed9c (diff)
downloadperl-3a1df45e827a79d14694d18dd0141c09a0abfe5c.tar.gz
study_chunk: honour mutate_ok over recursion
As described in #17743, study_chunk can re-enter itself either by simple recursion or by enframing. 089ad25d3f used the new mutate_ok variable to track whether we were within the framing scope of GOSUB, and to disallow mutating changes to ops if so. This commit extends that logic to reentry by recursion, passing in the current state as was_mutate_ok. (CVE-2020-12723) (cherry picked from commit 3445383845ed220eaa12cd406db2067eb7b8a741)
Diffstat (limited to 't/re')
-rw-r--r--t/re/pat.t14
1 files changed, 13 insertions, 1 deletions
diff --git a/t/re/pat.t b/t/re/pat.t
index 6ece306b5b..c608df5bbe 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -24,7 +24,7 @@ BEGIN {
skip_all_without_unicode_tables();
-plan tests => 1020; # Update this when adding/deleting tests.
+plan tests => 1022; # Update this when adding/deleting tests.
run_tests() unless caller;
@@ -2271,6 +2271,18 @@ SKIP:
}, 'ok', {}, 'gh17730: should not crash');
}
+ # gh17743: more regexp corruption via GOSUB
+ {
+ fresh_perl_is(q{
+ "0" =~ /((0(?0)|000(?|0000|0000)(?0))|)/; print "ok"
+ }, 'ok', {}, 'gh17743: test regexp corruption (1)');
+
+ fresh_perl_is(q{
+ "000000000000" =~ /(0(())(0((?0)())|000(?|\x{ef}\x{bf}\x{bd}|\x{ef}\x{bf}\x{bd}))|)/;
+ print "ok"
+ }, 'ok', {}, 'gh17743: test regexp corruption (2)');
+ }
+
} # End of sub run_tests
1;