Perl segfault in regex engine in integer overflow situation #14858
Comments
From @dcollinsnGreetings, The afl fuzzer has identified the following testcase which causes a segmentation fault in the regular expression engine in perl and miniperl (oddly, only when run WITHOUT -Ilib). The testcase is the 17-character file: /\x{E000000000}|/ GDB output identifies the segfault within malloc, which isn't very helpful, but (hopefully) successfuly isolated the crash to Perl_regexec_flags. Valgrind appears to be describing a buffer overflow. Old versions of perl throw "integer overflow in hexadecimal number" but do not segfault. Git bisect identifies a commit which appears to be a significant overhaul of part of the regular expression engine. **GDB** GNU gdb (GDB) 7.0.1-debian Program received signal SIGSEGV, Segmentation fault. **VALGRIND** ==9388== Memcheck, a memory error detector **PERL -V** Summary of my perl5 (revision 5 version 23 subversion 2) configuration: Characteristics of this binary (from libperl): **BISECT** cdd87c1 is the first bad commit Teach regex optimizer to handle above-Latin1 :100644 100644 ec203f9c1f3ea42c65324e632c746042c32954f1 3dd62f946eedd99f87489fecfeb1acd86e2d250b M embed.fnc |
From @tonycozOn Sun Aug 16 20:56:17 2015, dcollinsn@gmail.com wrote:
Here's a fix (attached). Tony |
From @tonycoz0001-perl-125826-make-the-buffer-large-enough-in-TRIE_STO.patchFrom ab3f825e8c3d0b6f70faac9d6b3552923bd511d0 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 18 Aug 2015 12:11:12 +1000
Subject: [PATCH] [perl #125826] make the buffer large enough in
TRIE_STORE_REVCHAR
---
regcomp.c | 2 +-
t/re/pat_advanced.t | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index f08f08f..c052cc7 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -2001,7 +2001,7 @@ is the recommended Unicode-aware way of saying
#define TRIE_STORE_REVCHAR(val) \
STMT_START { \
if (UTF) { \
- SV *zlopp = newSV(7); /* XXX: optimize me */ \
+ SV *zlopp = newSV(UTF8_MAXBYTES); /* XXX: optimize me */ \
unsigned char *flrbbbbb = (unsigned char *) SvPVX(zlopp); \
unsigned const char *const kapow = uvchr_to_utf8(flrbbbbb, val); \
SvCUR_set(zlopp, kapow - flrbbbbb); \
diff --git a/t/re/pat_advanced.t b/t/re/pat_advanced.t
index 230fd89..33647f3 100644
--- a/t/re/pat_advanced.t
+++ b/t/re/pat_advanced.t
@@ -2419,6 +2419,15 @@ EOF
'No segfault on qr{(?&foo){0}abc(?<foo>)}');
}
+ SKIP:
+ { # [perl #125826] buffer overflow in TRIE_STORE_REVCHAR
+ # (during compilation, so use a fresh perl)
+ $Config{uvsize} == 8
+ or skip("need large code-points for this test", 1);
+ fresh_perl_is('/\x{E000000000}|/ and print qq(ok\n)', "ok\n", {},
+ "buffer overflow in TRIE_STORE_REVCHAR");
+ }
+
# !!! NOTE that tests that aren't at all likely to crash perl should go
# a ways above, above these last ones.
--
2.5.0
|
The RT System itself - Status changed from 'new' to 'open' |
From @dcollinsnHello p5p, Just wondering if these are useful enough that you'd like me to continue Regards, On Mon, Aug 17, 2015 at 10:18 PM, Tony Cook via RT <
|
From PeterCMartini@GMail.comOn Mon, Aug 17, 2015 at 11:28 PM, Dan Collins <dcollinsn@gmail.com> wrote:
I can only speak for myself, but yes, I find these very useful; those The cases I've seen you provide have been solid enough that I wouldn't ask
|
From @tonycozOn Mon, Aug 17, 2015 at 11:28:03PM -0400, Dan Collins wrote:
I think they're useful, even if we don't always have the development Tony |
From @tonycozOn Mon Aug 17 19:18:42 2015, tonyc wrote:
Applied with non-code changes as 668fcfe. Tony |
@tonycoz - Status changed from 'open' to 'resolved' |
From @rurban
I certainly do not speak for p5p, they usually tend to go into the opposite direction whenever I voice my opinion, They are useful as is. No need to worry. My list (maybe I missed some lately): New crashes, not yet in the 5.20.3 blockers list: see http://perl5.git.perl.org/perl.git/blob/refs/heads/maint-5.20-votes:/Porting/cherry-pick-votes-maint-5.20.xml • perl #123554 avoid a crash from SvGROW(MEM_SIZE_MAX) (Fixed in 5.22) more crashes: |
Migrated from rt.perl.org#125826 (status was 'resolved')
Searchable as RT125826$
The text was updated successfully, but these errors were encountered: