-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Perl segfault in regex engine in integer overflow situation #14858
Comments
From @dcollinsnGreetings, The afl fuzzer has identified the following testcase which causes a segmentation fault in the regular expression engine in perl and miniperl (oddly, only when run WITHOUT -Ilib). The testcase is the 17-character file: /\x{E000000000}|/ GDB output identifies the segfault within malloc, which isn't very helpful, but (hopefully) successfuly isolated the crash to Perl_regexec_flags. Valgrind appears to be describing a buffer overflow. Old versions of perl throw "integer overflow in hexadecimal number" but do not segfault. Git bisect identifies a commit which appears to be a significant overhaul of part of the regular expression engine. **GDB** GNU gdb (GDB) 7.0.1-debian Program received signal SIGSEGV, Segmentation fault. **VALGRIND** ==9388== Memcheck, a memory error detector **PERL -V** Summary of my perl5 (revision 5 version 23 subversion 2) configuration: Characteristics of this binary (from libperl): **BISECT** cdd87c1 is the first bad commit Teach regex optimizer to handle above-Latin1 :100644 100644 ec203f9c1f3ea42c65324e632c746042c32954f1 3dd62f946eedd99f87489fecfeb1acd86e2d250b M embed.fnc |
From @tonycozOn Sun Aug 16 20:56:17 2015, dcollinsn@gmail.com wrote:
Here's a fix (attached). Tony |
From @tonycoz0001-perl-125826-make-the-buffer-large-enough-in-TRIE_STO.patchFrom ab3f825e8c3d0b6f70faac9d6b3552923bd511d0 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 18 Aug 2015 12:11:12 +1000
Subject: [PATCH] [perl #125826] make the buffer large enough in
TRIE_STORE_REVCHAR
---
regcomp.c | 2 +-
t/re/pat_advanced.t | 9 +++++++++
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/regcomp.c b/regcomp.c
index f08f08f..c052cc7 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -2001,7 +2001,7 @@ is the recommended Unicode-aware way of saying
#define TRIE_STORE_REVCHAR(val) \
STMT_START { \
if (UTF) { \
- SV *zlopp = newSV(7); /* XXX: optimize me */ \
+ SV *zlopp = newSV(UTF8_MAXBYTES); /* XXX: optimize me */ \
unsigned char *flrbbbbb = (unsigned char *) SvPVX(zlopp); \
unsigned const char *const kapow = uvchr_to_utf8(flrbbbbb, val); \
SvCUR_set(zlopp, kapow - flrbbbbb); \
diff --git a/t/re/pat_advanced.t b/t/re/pat_advanced.t
index 230fd89..33647f3 100644
--- a/t/re/pat_advanced.t
+++ b/t/re/pat_advanced.t
@@ -2419,6 +2419,15 @@ EOF
'No segfault on qr{(?&foo){0}abc(?<foo>)}');
}
+ SKIP:
+ { # [perl #125826] buffer overflow in TRIE_STORE_REVCHAR
+ # (during compilation, so use a fresh perl)
+ $Config{uvsize} == 8
+ or skip("need large code-points for this test", 1);
+ fresh_perl_is('/\x{E000000000}|/ and print qq(ok\n)', "ok\n", {},
+ "buffer overflow in TRIE_STORE_REVCHAR");
+ }
+
# !!! NOTE that tests that aren't at all likely to crash perl should go
# a ways above, above these last ones.
--
2.5.0
|
The RT System itself - Status changed from 'new' to 'open' |
From @dcollinsnHello p5p, Just wondering if these are useful enough that you'd like me to continue Regards, On Mon, Aug 17, 2015 at 10:18 PM, Tony Cook via RT <
|
From PeterCMartini@GMail.comOn Mon, Aug 17, 2015 at 11:28 PM, Dan Collins <dcollinsn@gmail.com> wrote:
I can only speak for myself, but yes, I find these very useful; those The cases I've seen you provide have been solid enough that I wouldn't ask
|
From @tonycozOn Mon, Aug 17, 2015 at 11:28:03PM -0400, Dan Collins wrote:
I think they're useful, even if we don't always have the development Tony |
From @tonycozOn Mon Aug 17 19:18:42 2015, tonyc wrote:
Applied with non-code changes as 668fcfe. Tony |
@tonycoz - Status changed from 'open' to 'resolved' |
From @rurban
I certainly do not speak for p5p, they usually tend to go into the opposite direction whenever I voice my opinion, They are useful as is. No need to worry. My list (maybe I missed some lately): New crashes, not yet in the 5.20.3 blockers list: see http://perl5.git.perl.org/perl.git/blob/refs/heads/maint-5.20-votes:/Porting/cherry-pick-votes-maint-5.20.xml • perl #123554 avoid a crash from SvGROW(MEM_SIZE_MAX) (Fixed in 5.22) more crashes: |
Migrated from rt.perl.org#125826 (status was 'resolved')
Searchable as RT125826$
The text was updated successfully, but these errors were encountered: