runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23) #16113
Comments
From @geeknikWhile fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in ./perl -e "0=~'0(0?(0||00*))|'" regcomp.c:5935:23: runtime error: signed integer overflow: 1 + SUMMARY: AddressSanitizer: undefined-behavior regcomp.c:5935:23 |
From zefram@fysh.orgBrian Carpenter wrote:
There's nothing pathological about that regexp. I reckon it's a bug. -zefram |
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Sun, 13 Aug 2017 19:33:16 -0700, brian.carpenter@gmail.com wrote:
The attached fixes it for me. There's other similar issues, perhaps it's finally time to do the work to close 121505. Tony |
From @tonycoz0001-perl-131893-prevent-integer-overflow-when-compiling-.patchFrom f901dfa07af600039d9479d4da63db04b3b40f42 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 14 Aug 2017 15:10:22 +1000
Subject: (perl #131893) prevent integer overflow when compiling a regexp
a specific regexp in this case, other regexps may cause other overflows
---
regcomp.c | 8 ++++++--
t/re/pat.t | 6 +++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/regcomp.c b/regcomp.c
index 5a9e56b..a421d24 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5931,8 +5931,12 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n",
data->cur_is_floating = 1; /* float */
}
min += min1;
- if (delta != SSize_t_MAX)
- delta += max1 - min1;
+ if (delta != SSize_t_MAX) {
+ if (SSize_t_MAX - (max1 - min1) >= delta)
+ delta += max1 - min1;
+ else
+ delta = SSize_t_MAX;
+ }
if (flags & SCF_DO_STCLASS_OR) {
ssc_or(pRExC_state, data->start_class, (regnode_charclass *) &accum);
if (min1) {
diff --git a/t/re/pat.t b/t/re/pat.t
index fb6d4c4..984fd66 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -23,7 +23,7 @@ BEGIN {
skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
skip_all_without_unicode_tables();
-plan tests => 837; # Update this when adding/deleting tests.
+plan tests => 838; # Update this when adding/deleting tests.
run_tests() unless caller;
@@ -1916,6 +1916,10 @@ EOP
pos($text) = 3;
ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575");
}
+ {
+ # RT #131893 - fails with ASAN -fsanitize=undefined
+ fresh_perl_is('qr/0(0?(0||00*))|/', '', {}, "integer overflow during compilation");
+ }
} # End of sub run_tests
--
2.1.4
|
From zefram@fysh.orgTony's patch looks good to me. I've applied it as commit -zefram |
|
@cpansprout - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#131893 (status was 'resolved')
Searchable as RT131893$
The text was updated successfully, but these errors were encountered: