develooper Front page | perl.perl5.porters | Postings from August 2019

Re: [perl #134329] Use-After-Free in regcomp.c:5617

Thread Previous | Thread Next
Karl Williamson
August 23, 2019 19:21
Re: [perl #134329] Use-After-Free in regcomp.c:5617
Message ID:
On 8/12/19 12:08 AM, Tony Cook via RT wrote:
> Attached the PoC to save people time.
> ---
> via perlbug:  queue: perl5 status: open

This is fixed by this commit, currently smoking as khw-134329

    PATCH: [perl #134329] Use after free in regcomp.c

      A compiled regex is composed of nodes, forming a linked list, with
      normally a maximum of 16 bits used to specify the offset of the next
      link.  For patterns that require more space than this, the 16 bit 
      are replaced by using separate nodes especially for the purpose that
      have longer offsets.

      When compiling a pattern, the 16 bit mechanism is used, until it
      overflows, at which point the pattern is recompiled with the long 

      When I rewrote the compiler last year to make it generally one pass, I
      noticed a lot of the cases where a node was added didn't check if the
      result overflowed (the function that does this returns FALSE in that
      case).  I presumed the prior authors knew better, and did not change
      things, except to put in a bogus value in the link (offset) field that
      should cause a crash if it were used.  That's what's happening in this

      But seeing this example, it's clear that the return value should be
      checked every time, because you can reach the limit at any time.  This
      commit changes to do that, and to require the function's return 
value to
      not be ignored, to guard against future changes.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About