develooper Front page | perl.perl5.porters | Postings from August 2019

[perl #134328] Invalid read of size 1 in regexec.c:8492

From:
Tony Cook via RT
Date:
August 26, 2019 05:20
Subject:
[perl #134328] Invalid read of size 1 in regexec.c:8492
Message ID:
rt-4.0.24-5845-1566796801-1529.134328-15-0@perl.org
On Thu, 01 Aug 2019 06:35:21 -0700, nguyenmanhdung1710@gmail.com wrote:
> Hi All,
> I found an invalid read bug in the commit *a3c7756* on branch *blead*.
> This
> bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
> 16.04
> (64 bit) as follows:
>    ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> -Dloclibpth='
> '; make

Attached the POC.

This looks like it's the same problem as with 134329.

On a debug build the tail of the run is:

65565: END (0)
minlen 0 
Matching REx "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"... against ""
   0 <> <>                   |   0| 1:CURLYX[0]{0,INFTY}(65536)
   0 <> <>                   |   1|  65535:CURLY{9216,3}(0)
miniperl: regexec.c:8491: S_regmatch: Assertion `ST.min <= ST.max' failed.

The offset there is wrong, so it's trying to interpret from the middle of a regexp op.

If I test with khw-134329 I get:

162257:   EXACT <n> (0)
162259: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (162262)
162262: END (0)
floating "%0G%x{ff}p%x{ff}%x{ff}%x{ff}%177" at 1..9223372036854775807 (checking floating) minlen 9 
String shorter than min possible regex match (0 < 9)
Freeing REx: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...

Tony

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134328



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About