develooper Front page | perl.perl5.porters | Postings from August 2013

[perl #119505] Segfault in S_regmatch from bad backreference

Thread Next
andrewn @ locus . net
August 29, 2013 16:05
[perl #119505] Segfault in S_regmatch from bad backreference
Message ID:
# New Ticket Created by 
# Please include the string:  [perl #119505]
# in the subject line of all future correspondence about this issue. 
# <URL: >

This is a bug report for perl from,
generated with the help of perlbug 1.39 running under perl 5.19.4.

[Please describe your issue here]

$ ./perl -e '/\7777777777/'
Segmentation fault

This is caused by a negative backreference in the compiled regex when the
following code returns a negative number:

regcomp.c:10690:  num = atoi(RExC_parse);

This bug was discovered in our production system running perl-5.8.8-40.el5_9
(CentOS5), confirmed on a developer's ActivePerl 5.16.2 (Windows7), and
debugged/reported on the current git.

The following patch does not properly correct the parsing of large integers,
but it should at least die cleanly instead of segfaulting:

diff --git a/regcomp.c b/regcomp.c
index 5a1e234..3854569 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -10688,6 +10688,9 @@ tryagain:
 		        goto parse_named_seq;
 		}   }
 		num = atoi(RExC_parse);
+                if(num < 0) {
+                    vFAIL("Integer wrapped?");
+                }
 		if (isg && num == 0) {
 	            if (*RExC_parse == '0') {
                         vFAIL("Reference to invalid group 0");

[Please do not change anything below this line]
Site configuration information for perl 5.19.4:

Configured by andrewn at Wed Aug 28 15:05:31 EDT 2013.

Summary of my perl5 (revision 5 version 19 subversion 4) configuration:
  Commit id: 5b903226e771166eeb3a78d139181139a3759c2d
    osname=linux, osvers=3.7.10-gentoo-r1, archname=x86_64-linux
    uname='linux andrewn 3.7.10-gentoo-r1 #1 smp preempt thu may 16 09:49:20 edt 2013 x86_64 intel(r) core(tm) i7-2600 cpu @ 3.40ghz genuineintel gnulinux '
    config_args='-de -Dusedevel -Dstartperl=#!/home/andrewn/src/git/perl/perl -Doptimize=none -DEBUGGING=both'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='cc', ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='  -g',
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector'
    ccversion='', gccversion='4.6.3', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib/../lib64 /usr/lib/../lib64 /lib /usr/lib /lib64 /usr/lib64 /usr/local/lib64
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
    libc=/lib/, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared   -g -L/usr/local/lib -fstack-protector'

@INC for perl 5.19.4:

Environment for perl 5.19.4:
    LANGUAGE (unset)
    LOGDIR (unset)
    PERL_BADLANG (unset)

Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About