diff options
| author | David Mitchell <davem@iabyn.com> | 2017-06-16 15:46:19 +0100 |
|---|---|---|
| committer | Steve Hay <steve.m.hay@googlemail.com> | 2017-08-23 21:21:10 +0100 |
| commit | d268074d893d83bd5bd8f0483bcc7c793bf84bdc (patch) | |
| tree | 8e4e0e4983498f008bb723f5be9addd73fbc6912 /t | |
| parent | 6aaabe5196719b29658e550df4d13c7984a10408 (diff) | |
| download | perl-d268074d893d83bd5bd8f0483bcc7c793bf84bdc.tar.gz | |
don't call Perl_fbm_instr() with negative length
RT #131575
re_intuit_start() could calculate a maximum end position less than the
current start position. This used to get rejected by fbm_intr(), until
v5.23.3-110-g147f21b, which made fbm_intr() faster and removed unnecessary
checks.
This commits fixes re_intuit_start(), and adds an assert to fbm_intr().
(cherry picked from commit bb152a4b442f7718fd37d32cc558be675e8ae1ae)
Diffstat (limited to 't')
| -rw-r--r-- | t/re/pat.t | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/t/re/pat.t b/t/re/pat.t index 16bfc8e773..6f1977594b 100644 --- a/t/re/pat.t +++ b/t/re/pat.t @@ -1911,6 +1911,17 @@ EOP # [perl #129281] buffer write overflow, detected by ASAN, valgrind fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much"); } + + { + # RT #131575 intuit skipping back from the end to find the highest + # possible start point, was potentially hopping back beyond pos() + # and crashing by calling fbm_instr with a negative length + + my $text = "=t=\x{5000}"; + pos($text) = 3; + ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575"); + } + } # End of sub run_tests 1; |