On 8/12/19 12:08 AM, Tony Cook via RT wrote: > Attached the PoC to save people time. > > --- > via perlbug: queue: perl5 status: open > https://rt.perl.org/Ticket/Display.html?id=134329 > This is fixed by this commit, currently smoking as khw-134329 PATCH: [perl #134329] Use after free in regcomp.c A compiled regex is composed of nodes, forming a linked list, with normally a maximum of 16 bits used to specify the offset of the next link. For patterns that require more space than this, the 16 bit links are replaced by using separate nodes especially for the purpose that have longer offsets. When compiling a pattern, the 16 bit mechanism is used, until it overflows, at which point the pattern is recompiled with the long jumps instead. When I rewrote the compiler last year to make it generally one pass, I noticed a lot of the cases where a node was added didn't check if the result overflowed (the function that does this returns FALSE in that case). I presumed the prior authors knew better, and did not change things, except to put in a bogus value in the link (offset) field that should cause a crash if it were used. That's what's happening in this ticket. But seeing this example, it's clear that the return value should be checked every time, because you can reach the limit at any time. This commit changes to do that, and to require the function's return value to not be ignored, to guard against future changes.Thread Previous | Thread Next