I've confirmed that, after onig_new(ONIG_SYNTAX_PERL ....) failure in exec(), einfo.enc points to invalid address.
Then onig_error_code_to_str() force to use some member of invalid einfo.enc, causes memory corruption.
Here is a crash log.
ONIGENC_MBC_TO_CODE(enc, p, end) in to_ascii() try to call address 0 (einfo.enc->mbc_to_code).
$ gdb -q ./perl_syntax -c core
Reading symbols from ./perl_syntax...done.
[New LWP 26801]
Core was generated by `./perl_syntax'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000000000000000 in ?? ()
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x00007f8f4b15f7fc in to_ascii (enc=0x7fff38b8e890, s=0x0,
end=0x7f8f4b637a98 "\310ycK\217\177", buf=0x7fff38b8e700 "", buf_size=47,
is_over=0x7fff38b8e6c4) at regerror.c:219
#2 0x00007f8f4b15fb35 in onig_error_code_to_str (s=0x7fff38b8e880 "", code=-215)
at regerror.c:281
#3 0x000055b7122bdc40 in exec (syntax=0x55b7124bed40 <OnigSyntaxPerl>,
apattern=0x7fff38b8e923 "(?0d", astr=0x55b7122bdfd1 "bgh8x") at perl_syntax.c:25
#4 0x000055b7122bdec1 in main (argc=1, argv=0x7fff38b8ea18) at perl_syntax.c:75
(gdb) up
#1 0x00007f8f4b15f7fc in to_ascii (enc=0x7fff38b8e890, s=0x0,
end=0x7f8f4b637a98 "\310ycK\217\177", buf=0x7fff38b8e700 "", buf_size=47,
is_over=0x7fff38b8e6c4) at regerror.c:219
219 code = ONIGENC_MBC_TO_CODE(enc, p, end);
(gdb) p *enc
$1 = {precise_mbc_enc_len = 0xffffffff, name = 0x0, max_enc_len = 951968360,
min_enc_len = 32767, is_mbc_newline = 0x7f8f4b637710, mbc_to_code = 0x0,
code_to_mbclen = 0x0, code_to_mbc = 0x0, mbc_case_fold = 0x756e6547,
apply_all_case_fold = 0x9, get_case_fold_codes_by_str = 0x7f8f4b410660 <dl_main>,
property_name_to_ctype = 0x7fff38b8e948, is_code_ctype = 0x2fba3e78dd29d900,
get_ctype_code_range = 0x7fff38b8e930,
left_adjust_char_head = 0x55b7122bdec1 <main+74>,
is_allowed_reverse_match = 0x7fff38b8ea18, case_map = 0x100000000,
ruby_encoding_index = 304865008, flags = 21943}
(gdb) p enc->mbc_to_code
$2 = (OnigCodePoint (*)(const OnigUChar *, const OnigUChar *,
const struct OnigEncodingTypeST *)) 0x0
Thanks
Ren
The text was updated successfully, but these errors were encountered:
When onig_new(ONIG_SYNTAX_PERL) fails with error code -215(ONIGERR_INVALID_GROUP_NAME), onig_error_code_to_str() crashes due to invalid memory access.
Here is a POC code based on sample/syntax.c
gcc -o perl_syntax perl_syntax.c -lonigmo ./perl_syntax pattern (?0d (4) RES: -215 EINFO.ENC: 0x7ffc07848cd0 Segmentation fault (Core dumped)I've confirmed that, after onig_new(ONIG_SYNTAX_PERL ....) failure in exec(), einfo.enc points to invalid address.
Then onig_error_code_to_str() force to use some member of invalid einfo.enc, causes memory corruption.
Here is a crash log.
ONIGENC_MBC_TO_CODE(enc, p, end) in to_ascii() try to call address 0 (einfo.enc->mbc_to_code).
Thanks
Ren
The text was updated successfully, but these errors were encountered: