[perl.git] branch smoke-me/khw-134329 created. v5.31.3-35-g84072a0538

Thu, 29 Aug 2019 06:50:33 -0700 

In perl.git, the branch smoke-me/khw-134329 has been created

<https://perl5.git.perl.org/perl.git/commitdiff/84072a0538b77a4779496395ccb47a158b882329?hp=0000000000000000000000000000000000000000>

        at  84072a0538b77a4779496395ccb47a158b882329 (commit)

- Log -----------------------------------------------------------------
commit 84072a0538b77a4779496395ccb47a158b882329
Author: Karl Williamson <[email protected]>
Date:   Fri Aug 23 12:40:24 2019 -0600

    PATCH: [perl #134329] Use after free in regcomp.c
    
    A compiled regex is composed of nodes, forming a linked list, with
    normally a maximum of 16 bits used to specify the offset of the next
    link.  For patterns that require more space than this, the nodes that
    jump around are replaced with ones that have wider offsets.  Most nodes
    are unaffected, as they just contain the offset of the next node, and
    that number is always small.  The jump nodes are the ones affected.
    
    When compiling a pattern, the 16 bit mechanism is used, until it
    overflows, at which point the pattern is recompiled with the long jumps
    instead.
    
    When I rewrote the compiler last year to make it generally one pass, I
    noticed a lot of the cases where a node was added didn't check if the
    result overflowed (the function that does this returns FALSE in that
    case).  I presumed the prior authors knew better, and did not change
    things, except to put in a bogus value in the link (offset) field that
    should cause a crash if it were used.  That's what's happening in this
    ticket.
    
    But seeing this example, it's clear that the return value should be
    checked every time, because you can reach the limit at any time.  This
    commit changes to do that, and to require the function's return value to
    not be ignored, to guard against future changes.
    
    My guess is that the reason it generally worked when there were multiple
    passes is that the first pass didn't do anything except count space, and
    that at some point before the end of the pass the return value did get
    checked, so by the time the nodes were allocated for real, it knew
    enough to use the long jumps.

commit b5cb7d3dbe3e2e57eb208587698cefb806cc4801
Author: Karl Williamson <[email protected]>
Date:   Mon Nov 26 20:16:09 2018 -0700

    XXX need to do process; figure name Configure Fix alignment needed probe

-----------------------------------------------------------------------

-- 
Perl5 Master Repository

Reply via email to