[perl #119505] Segfault in S_regmatch from bad backreference

# New Ticket Created by  andrewn@locus.net 
# Please include the string:  [perl #119505]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org:443/rt3/Ticket/Display.html?id=119505 >



This is a bug report for perl from andrewn@locus.net,
generated with the help of perlbug 1.39 running under perl 5.19.4.


-----------------------------------------------------------------
[Please describe your issue here]

$ ./perl -e '/\7777777777/'
Segmentation fault

This is caused by a negative backreference in the compiled regex when the
following code returns a negative number:

regcomp.c:10690:  num = atoi(RExC_parse);

This bug was discovered in our production system running perl-5.8.8-40.el5_9
(CentOS5), confirmed on a developer's ActivePerl 5.16.2 (Windows7), and
debugged/reported on the current git.

The following patch does not properly correct the parsing of large integers,
but it should at least die cleanly instead of segfaulting:

diff --git a/regcomp.c b/regcomp.c
index 5a1e234..3854569 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -10688,6 +10688,9 @@ tryagain:
 		        goto parse_named_seq;
 		}   }
 		num = atoi(RExC_parse);
+                if(num < 0) {
+                    vFAIL("Integer wrapped?");
+                }
 		if (isg && num == 0) {
 	            if (*RExC_parse == '0') {
                         vFAIL("Reference to invalid group 0");


[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl 5.19.4:

Configured by andrewn at Wed Aug 28 15:05:31 EDT 2013.

Summary of my perl5 (revision 5 version 19 subversion 4) configuration:
  Commit id: 5b903226e771166eeb3a78d139181139a3759c2d
  Platform:
    osname=linux, osvers=3.7.10-gentoo-r1, archname=x86_64-linux
    uname='linux andrewn 3.7.10-gentoo-r1 #1 smp preempt thu may 16 09:49:20 edt 2013 x86_64 intel(r) core(tm) i7-2600 cpu @ 3.40ghz genuineintel gnulinux '
    config_args='-de -Dusedevel -Dstartperl=#!/home/andrewn/src/git/perl/perl -Doptimize=none -DEBUGGING=both'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='  -g',
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector'
    ccversion='', gccversion='4.6.3', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/../lib64 /usr/lib/../lib64 /lib /usr/lib /lib64 /usr/lib64 /usr/local/lib64
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/libc-2.15.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.15'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared   -g -L/usr/local/lib -fstack-protector'


---
@INC for perl 5.19.4:
    ./lib
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/perl5lib/lib
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/svn/puppet/trunk/files/package/perl
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/perl5lib/lib
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/svn/puppet/trunk/files/package/perl
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/perl5lib/lib
    /home/andrewn/perl5lib/lib/x86_64-linux
    /home/andrewn/svn/puppet/trunk/files/package/perl
    /usr/local/lib/perl5/site_perl/5.19.4/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.19.4
    /usr/local/lib/perl5/5.19.4/x86_64-linux
    /usr/local/lib/perl5/5.19.4
    .

---
Environment for perl 5.19.4:
    HOME=/home/andrewn
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LC_COLLATE=C
    LD_LIBRARY_PATH=:/home/andrewn/lib
    LOGDIR (unset)
    PATH=/home/andrewn/bin:/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.6.3:/usr/games/bin
    PERL5LIB=./lib:/home/andrewn/perl5lib/lib:/home/andrewn/perl5lib/lib/x86_64-linux:/home/andrewn/svn/puppet/trunk/files/package/perl:/home/andrewn/perl5lib/lib:/home/andrewn/perl5lib/lib/x86_64-linux:/home/andrewn/svn/puppet/trunk/files/package/perl:/home/andrewn/perl5lib/lib:/home/andrewn/perl5lib/lib/x86_64-linux:/home/andrewn/svn/puppet/trunk/files/package/perl
    PERL_BADLANG (unset)
    SHELL=/bin/bash

• [perl #119505] Segfault in S_regmatch from bad backreference by andrewn @ locus . net
• Re: [perl #119505] Segfault in S_regmatch from bad backreference by Dave Mitchell
• [perl #119505] Segfault in S_regmatch from bad backreference by James E Keenan via RT