develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134329] Use-After-Free in regcomp.c:5617

Thread Previous | Thread Next
From:
Tony Cook via RT
Date:
August 12, 2019 05:01
Subject:
[perl #134329] Use-After-Free in regcomp.c:5617
Message ID:
rt-4.0.24-21184-1565586093-84.134329-15-0@perl.org
On Sun, 11 Aug 2019 18:58:39 -0700, tonyc wrote:
> On Thu, 01 Aug 2019 06:35:55 -0700, nguyenmanhdung1710@gmail.com
> wrote:
> > Hi All,
> > I found a Use-After-Free bug in the commit *a3c7756* on branch
> > *blead*.
> > This bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on
> > Ubuntu
> > 16.04 (64 bit) as follows:
> >    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> > -Dloclibpth='
> > '; make
> 
> This bisects down to
> 
> bf848a12528ab1e63a2f20da532eda498adbdca6 is the first bad commit
> commit bf848a12528ab1e63a2f20da532eda498adbdca6
> Author: Karl Williamson <khw@cpan.org>
> Date:   Thu Mar 14 16:46:50 2019 -0600
> 
> Add more checking for regnode offset overflowing

This commit changed allocation of the regexp program from:

-    Newxc(RExC_rxi, sizeof(regexp_internal) + (unsigned)RExC_size * sizeof(regnode),
-        char, regexp_internal);

to:

+    Newxc(RExC_rxi, sizeof(regexp_internal) + RExC_size, char, regexp_internal);

assuming I understand the code.

I expect this is the cause for #134325 too.

Tony

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=134329

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About