develooper Front page | perl.perl5.porters | Postings from January 2019

[perl #133770] null pointer dereference in S_regclass()

From:
Hugo van der Sanden via RT
Date:
January 23, 2019 11:21
Subject:
[perl #133770] null pointer dereference in S_regclass()
Message ID:
rt-4.0.24-31427-1548242496-1185.133770-15-0@perl.org
On Tue, 15 Jan 2019 07:44:03 -0800, geeknik@protonmail.ch wrote:
> While testing v5.29.6-96-g7397626020, I discovered a segfault
> triggered by a null pointer dereference in S_regclass(). I compiled
> perl5 with Clang-8.0.0 and AddressSanitizer.
> 
> echo "MAAvAG0AAABbADAwsh8AAA==" | base64 -d | tee test0084.pl | perl
> test0084.pl
> 
> #0 0x77a733 in S_regclass /root/perl/regcomp.c:18577:37
[...]

Without analysing the input too deeply, I see that the code calls utf8.c:Perl__inverse_folds(), then uses an unsigned int i to loop over remaining_folds:
    for (i = 0; i < folds_to_this_cp_count - 1; i++) {
        fold_list = add_cp_to_invlist(fold_list, remaining_folds[i]);
    }

However when folds_to_this_cp_count is zero, the loop condition is invalid.

Certainly this patch is enough to avoid the coredump on this input:
--- a/regcomp.c
+++ b/regcomp.c
@@ -18573,7 +18573,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
                     fold_list = add_cp_to_invlist(fold_list, start[0]);
                     fold_list = add_cp_to_invlist(fold_list, folded);
                     fold_list = add_cp_to_invlist(fold_list, first_fold);
-                    for (i = 0; i < folds_to_this_cp_count - 1; i++) {
+                    for (i = 0; i + 1 < folds_to_this_cp_count; i++) {
                         fold_list = add_cp_to_invlist(fold_list,
                                                         remaining_folds[i]);
                     }

% ./miniperl ~/133770.pl 
Wide character in print at /home/hv/133770.pl line 1.
Unmatched [ in regex; marked by <-- HERE in m/[ <-- HERE 〰ᾲ/ at /home/hv/133770.pl line 1.
% 

However Perl__inverse_folds() is also documented to return a NULL remaining_folds when the count it returns is 1, so it feels like there's more work to do here. Karl, can you take a look?

Hugo

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=133770



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About