develooper Front page | perl.perl5.porters | Postings from October 2013

Re: [perl #119505] Segfault in S_regmatch from bad backreference

Thread Previous | Thread Next
Dave Mitchell
October 17, 2013 11:31
Re: [perl #119505] Segfault in S_regmatch from bad backreference
Message ID:
On Wed, Aug 28, 2013 at 02:09:51PM -0700, wrote:
> $ ./perl -e '/\7777777777/'
> Segmentation fault
> This is caused by a negative backreference in the compiled regex when the
> following code returns a negative number:
> regcomp.c:10690:  num = atoi(RExC_parse);
> This bug was discovered in our production system running perl-5.8.8-40.el5_9
> (CentOS5), confirmed on a developer's ActivePerl 5.16.2 (Windows7), and
> debugged/reported on the current git.
> The following patch does not properly correct the parsing of large integers,
> but it should at least die cleanly instead of segfaulting:

Thanks for the report and patch. I've actually applied this more general
fix to bleed:

commit 0c2990d652e985784f095bba4bc356481a66aa06
Author:     David Mitchell <>
AuthorDate: Wed Oct 16 13:59:12 2013 +0100
Commit:     David Mitchell <>
CommitDate: Thu Oct 17 10:57:35 2013 +0100

    [perl #119505] Segfault from bad backreference
    The code that parses regex backrefs (or ambiguous backref/octal) such as
    \123, did a simple atoi(), which could wrap round to negative values on
    long digit strings and cause seg faults.
    Include a check on the length of the digit string, and if greater than 9
    digits, assume it can never be a valid backref (obviating the need for the
    atoi() call).
    I've also simplified the code a bit, putting most of the \g handling code
    into a single block, rather than doing multiple "if (isg) {...}".

M       regcomp.c
M       t/re/re_tests

Lear: Dost thou call me fool, boy?
Fool: All thy other titles thou hast given away; that thou wast born with.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About