Branch: refs/heads/smoke-me/khw-17734 Home: https://github.com/Perl/perl5 Commit: e8c3bacf5f546a49f701d359f26afd77d1458f60 https://github.com/Perl/perl5/commit/e8c3bacf5f546a49f701d359f26afd77d1458f60 Author: Karl Williamson <k...@cpan.org> Date: 2020-04-29 (Wed, 29 Apr 2020)
Changed paths: M regcomp.c Log Message: ----------- regcomp.c: Add comments Commit: f9dd299d251e8c42be547341f5e6f627bbd7691b https://github.com/Perl/perl5/commit/f9dd299d251e8c42be547341f5e6f627bbd7691b Author: Karl Williamson <k...@cpan.org> Date: 2020-04-29 (Wed, 29 Apr 2020) Changed paths: M regcomp.c M t/re/pat_advanced.t Log Message: ----------- regcomp.c: Avoid use after free It turns out that the SV returned by re_intuit_string() may be freed by future calls to re_intuit_start(). Thus, the caller doesn't get clear title to the returned SV. (This wasn't documented until the commit immediately prior to this one.) Cope with this situation by making a mortalized copy. This commit also changes to use the copy's PV directly, simplifying some 'if' statements. re_intuit_string() is effectively in the API, as it is an element in the regex engine structure, callable by anyone. It should not be returning a tenuous SV. That returned scalar should not freed before the pattern it is for is freed. It is too late in the development cycle to change this, so this workaround is presented instead for 5.32. This fixes #17734. Compare: https://github.com/Perl/perl5/compare/449cda1d3dd9...f9dd299d251e