develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134329] Use-After-Free in regcomp.c:5617

Thread Previous
From:
Tony Cook via RT
Date:
August 12, 2019 01:58
Subject:
[perl #134329] Use-After-Free in regcomp.c:5617
Message ID:
rt-4.0.24-1182-1565575119-380.134329-15-0@perl.org
On Thu, 01 Aug 2019 06:35:55 -0700, nguyenmanhdung1710@gmail.com wrote:
> Hi All,
> I found a Use-After-Free bug in the commit *a3c7756* on branch
> *blead*.
> This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
> Ubuntu
> 16.04 (64 bit) as follows:
>    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> -Dloclibpth='
> '; make

This bisects down to

bf848a12528ab1e63a2f20da532eda498adbdca6 is the first bad commit
commit bf848a12528ab1e63a2f20da532eda498adbdca6
Author: Karl Williamson <khw@cpan.org>
Date:   Thu Mar 14 16:46:50 2019 -0600

    Add more checking for regnode offset overflowing
    
    This is part of the ongoing failures in [perl #133921].
    
    The bottom line cause is that there are generally 16 bits available for
    the address of the next regnode.  On very large patterns, this may not
    be enough.  When that happens, a long jump is used instead.
    
    What previous commits have done is to insert tests in a loop to detect
    that overflow isn't going to occur.  But it turns out that there are
    other places where such overflow could occur.  The real solution should
    be to detect overflow in the base level routine that would otherwise get
    things wrong.  This entails making that routine be able to return
    failure.  It turns out that another function is used under DEBUGGING, so
    that one must be changed as well.  And the calls where it is possible
    for this to overflow are changed to look for failure return and proceed
    appropriately, which is to set a flag that we need to use long jumps,
    and restart the parse.

for me.

Bisected with:

perl ../bisect.pl --start=v5.28.0 --end=v5.30.0 -DDEBUGGING -- ./perl ../134329.pl

Tony

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134329

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About