develooper Front page | perl.perl5.porters | Postings from October 2005

[perl #37384] Buffer overflow on erroneous regexp match syntax

Thread Next
From:
Dan Dascalescu
Date:
October 8, 2005 02:36
Subject:
[perl #37384] Buffer overflow on erroneous regexp match syntax
Message ID:
rt-3.0.11-37384-122354.8.29832946595303@perl.org
# New Ticket Created by  Dan Dascalescu 
# Please include the string:  [perl #37384]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=37384 >


This is a bug report for perl from danvdascalescu,
generated with the help of perlbug 1.35 running under perl v5.8.7.

-----------------------------------------------------------------
[Please enter your report here]



It seems perl suffers from a buffer overflow when it encounters a
binding operator with the right-hand side argument not being a proper
regexp.

For example:
perl -we "$a=qr//; $b=qr//x; 1 =~ ($a|$b)"

For a more spectacular error, try

#! perl -w
use strict;

my $Yahoo_Mail_RE = qr'
    YMail:HTML:.*
  | YMail:STRINGS:intlYMailStrings.dict
'x;


my $Yahoo_ABCalNp_RE = qr'
    AddrBook2K2:HTML:.*
  | AddrBook2K2:S:i
'x;

print 1 !~ ($Yahoo_Mail_RE|$Yahoo_ABCalNp_RE);


I have not included the site configuration information because 'lzh'
on #perl kindly tested this on 5.4.5 to 5.9.2 and reproduced the issue
on all version. I have attached that log.

--
Dan Dascalescu
http://www.brainbench.com/transcript.jsp?pid=102809

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=low
---

Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About