[perl #72354] non-regexps can end up as SVt_REGEXP

# New Ticket Created by  Nicholas Clark 
# Please include the string:  [perl #72354]
# in the subject line of all future correspondence about this issue. 
# <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=72354 >



This is a bug report for perl from nick@ccl4.org,
generated with the help of perlbug 1.39 running under perl 5.11.4.


-----------------------------------------------------------------
[Please describe your issue here]

$ ./perl -lwe '$a = ${qr//}; $a = 2; print re::is_regexp(\$a)'
1


It is possible for arbitrary SVs (eg PAD entries) to be upgraded to SVt_REGEXP.
(This is new with first class regexps)

Whilst the example above does not SEGV, it will be possible to write code
that will cause SEGVs (or worse) at the point when the scalar is freed,
because the code in sv_clear() assumes that all scalars of type SVt_REGEXP
*are* regexps, and passes them to pregfree2(), which assumes that 
pointers within are valid.

Yes, this should be a 5.12 blocker, because what we have will open us up to
CVEs.

The fix might be simple and clear.

Nicholas Clark

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=critical
---
Site configuration information for perl 5.11.4:

Configured by nick at Sun Jan 24 22:05:35 GMT 2010.

Summary of my perl5 (revision 5 version 11 subversion 4) configuration:
  Commit id: dac9950b46a56f9fb4bccdd7fbcbf06e277767a2
  Platform:
    osname=linux, osvers=2.6.18.8-xenu, archname=x86_64-linux-thread-multi
    uname='linux eris 2.6.18.8-xenu #1 smp sat oct 3 10:27:42 bst 2009 x86_64 gnulinux '
    config_args='-Dusedevel=y -Dcc=ccache gcc -Dld=gcc -Ubincompat5005 -Uinstallusrbinperl -Dcf_email=nick@ccl4.org -Dperladmin=nick@ccl4.org -Dinc_version_list=  -Dinc_version_list_init=0 -Doptimize=-g -Dusethreads -Duse64bitall -Uusemymalloc -Duseperlio -Dprefix=~/Sandpit/snap5.9.x-v5.11.4-16-gdac9950 -Uusevendorprefix -Uvendorprefix=~/Sandpit/snap5.9.x-v5.11.4-16-gdac9950 -Dinstallman1dir=none -Dinstallman3dir=none -Uuserelocatableinc -de'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='ccache gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.3.2', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
    libs=-lnsl -ldb -ldl -lm -lcrypt -lutil -lpthread -lc
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.7.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.7'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector'

Locally applied patches:
    

---
@INC for perl 5.11.4:
    lib
    /home/nick/Sandpit/snap5.9.x-v5.11.4-16-gdac9950/lib/perl5/site_perl/5.11.4/x86_64-linux-thread-multi
    /home/nick/Sandpit/snap5.9.x-v5.11.4-16-gdac9950/lib/perl5/site_perl/5.11.4
    /home/nick/Sandpit/snap5.9.x-v5.11.4-16-gdac9950/lib/perl5/5.11.4/x86_64-linux-thread-multi
    /home/nick/Sandpit/snap5.9.x-v5.11.4-16-gdac9950/lib/perl5/5.11.4
    .

---
Environment for perl 5.11.4:
    HOME=/home/nick
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/nick/bin:/usr/local/bin:/usr/bin:/bin:/usr/games:/usr/local/sbin:/sbin:/usr/sbin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

• [perl #72354] non-regexps can end up as SVt_REGEXP by Nicholas Clark via RT
• [perl #72354] non-regexps can end up as SVt_REGEXP by Nicholas Clark
• Re: [perl #72354] non-regexps can end up as SVt_REGEXP by Nicholas Clark