Front page | perl.perl5.porters |
Postings from August 2019
[perl #134325] Heap buffer overflow
Thread Next
From:
Hugo van der Sanden via RT
Date:
August 12, 2019 14:36
Subject:
[perl #134325] Heap buffer overflow
Message ID:
rt-4.0.24-22661-1565620559-204.134325-15-0@perl.org
On Mon, 12 Aug 2019 05:46:19 -0700, hv wrote:
> Here's a shorter version.
>
> perl -e '
> $quote="\\Q";
> $back="\\\\";
> $ff="\xff";
> printf "/\\1|(|%s)%s%s /i",
> $quote x 8 . $back x 69,
> $quote x 5 . $back x 4,
> $ff x 48
> ' | ./miniperl
We can simplify the printf pattern to "/\\1|%s%s%s /i", and we can also replace "\xff" with "\\xff" leaving us just simple ascii to pass around.
Starting to trace this through, I note that the removal of the sizing pass appears to lead to under-allocation of RExC_rxi up front - RExC_size is counted in regnodes, but we allocate only that many chars. Fixing that doesn't solve this out-of-bounds read, but I imagine we probably want it in any case .
I have a feeling Tony commented on this already, but I can't find the message - Karl, have you looked at this already?
Hugo
diff --git a/regcomp.c b/regcomp.c
index cf9246473f..f8bef77f0b 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -7671,11 +7671,11 @@ Perl_re_op_compile(pTHX_ SV ** const patternp, int pat_count,
RExC_size = STR_SZ(RExC_end - RExC_start);
}
- Newxc(RExC_rxi, sizeof(regexp_internal) + RExC_size, char, regexp_internal);
+ Newxc(RExC_rxi, sizeof(regexp_internal) + RExC_size * sizeof(regnode), char, regexp_internal);
if ( RExC_rxi == NULL )
FAIL("Regexp out of space");
- Zero(RExC_rxi, sizeof(regexp_internal) + RExC_size, char);
+ Zero(RExC_rxi, sizeof(regexp_internal) + RExC_size * sizeof(regnode), char);
RXi_SET( RExC_rx, RExC_rxi );
/* We start from 0 (over from 0 in the case this is a reparse. The first
---
via perlbug: queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=134325
Thread Next