Front page | perl.perl5.porters |
Postings from August 2019
On Thu, 01 Aug 2019 06:35:00 -0700, nguyenmanhdung1710@gmail.com wrote:
> Hi All,
> I found an invalid read bug in the commit *a3c7756* on branch *blead*.
> This
> bug causes Perl to crash. I use gcc v5.5.0 to compile Perl on Ubuntu
> 16.04
> (64 bit) as follows:
> ./Configure -des -Dusedevel -Dprefix=`pwd` -Dccflags="-g"
> -Dloclibpth='
> '; make
>
> Thanks,
> Manh Dung
>
> ======================================
> *perl -v*
> This is perl 5, version 31, subversion 3 (v5.31.3 (v5.31.2-37-
> ga3c7756))
> built for x86_64-linux
>
> - Crafted PoC:
> https://github.com/strongcourage/PoCs/blob/master/perl_82007f7/PoC_segv_regexec.c:7725
> - Command: perl $PoC
Attached the PoC.
Also appears to be fixed by khw-134329
blead:
65665: EXACT <n> (0)
65667: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (65670)
65670: END (0)
minlen 0
Matching REx "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"... against ""
0 <> <> | 0| 1:CURLYX[0]{0,INFTY}(65536)
0 <> <> | 1| 65535:CLOSE8192005(65537)
Segmentation fault
Note the 65535 offset and the bad close paren.
khw-134329:
162495: CURLY{0,1} (162499)
162497: EXACT <n> (0)
162499: EXACT <\0G\x{ff}p\x{ff}\x{ff}\x{ff}\177> (162502)
162502: END (0)
floating "%0G%x{ff}p%x{ff}%x{ff}%x{ff}%177" at 1..9223372036854775807 (checking floating) minlen 9
String shorter than min possible regex match (0 < 9)
Freeing REx: "((8|||%x{d5}%x{b8}%20%x{d7}%x{b8}||(G|||,%0d%0%20^Z)*(8|||cc"...
Tony
---
via perlbug: queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=134327