In perl.git, the branch smoke-me/khw-134329 has been created
<https://perl5.git.perl.org/perl.git/commitdiff/e1054a2e1427d0992e29ba844d35b500ec70bd41?hp=0000000000000000000000000000000000000000>
at e1054a2e1427d0992e29ba844d35b500ec70bd41 (commit)
- Log -----------------------------------------------------------------
commit e1054a2e1427d0992e29ba844d35b500ec70bd41
Author: Karl Williamson <[email protected]>
Date: Fri Aug 23 12:40:24 2019 -0600
PATCH: [perl #134329] Use after free in regcomp.c
A compiled regex is composed of nodes, forming a linked list, with
normally a maximum of 16 bits used to specify the offset of the next
link. For patterns that require more space than this, the 16 bit links
are replaced by using separate nodes especially for the purpose that
have longer offsets.
When compiling a pattern, the 16 bit mechanism is used, until it
overflows, at which point the pattern is recompiled with the long jumps
instead.
When I rewrote the compiler last year to make it generally one pass, I
noticed a lot of the cases where a node was added didn't check if the
result overflowed (the function that does this returns FALSE in that
case). I presumed the prior authors knew better, and did not change
things, except to put in a bogus value in the link (offset) field that
should cause a crash if it were used. That's what's happening in this
ticket.
But seeing this example, it's clear that the return value should be
checked every time, because you can reach the limit at any time. This
commit changes to do that, and to require the function's return value to
not be ignored, to guard against future changes.
-----------------------------------------------------------------------
--
Perl5 Master Repository
