Front page | perl.perl5.porters |
Postings from August 2019
On Mon, Aug 12, 2019 at 07:35:59AM -0700, Hugo van der Sanden via RT wrote: > On Mon, 12 Aug 2019 05:46:19 -0700, hv wrote: > > Here's a shorter version. > > > > perl -e ' > > $quote="\\Q"; > > $back="\\\\"; > > $ff="\xff"; > > printf "/\\1|(|%s)%s%s /i", > > $quote x 8 . $back x 69, > > $quote x 5 . $back x 4, > > $ff x 48 > > ' | ./miniperl > > We can simplify the printf pattern to "/\\1|%s%s%s /i", and we can also replace "\xff" with "\\xff" leaving us just simple ascii to pass around. > > Starting to trace this through, I note that the removal of the sizing pass appears to lead to under-allocation of RExC_rxi up front - RExC_size is counted in regnodes, but we allocate only that many chars. Fixing that doesn't solve this out-of-bounds read, but I imagine we probably want it in any case . > > I have a feeling Tony commented on this already, but I can't find the message - Karl, have you looked at this already? That was against #134329, which feels similar to this. After some discussion with Karl in IRC the bytes vs regnodes shouldn't be a problem, since RExC_size is set to zero almost immediately after this, the program is reallocated in regnodes before anything else much happens. TonyThread Previous | Thread Next