-
Notifications
You must be signed in to change notification settings - Fork 542
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PATCH: [perl #134329] Use after free in regcomp.c
A compiled regex is composed of nodes, forming a linked list, with normally a maximum of 16 bits used to specify the offset of the next link. For patterns that require more space than this, the nodes that jump around are replaced with ones that have wider offsets. Most nodes are unaffected, as they just contain the offset of the next node, and that number is always small. The jump nodes are the ones affected. When compiling a pattern, the 16 bit mechanism is used, until it overflows, at which point the pattern is recompiled with the long jumps instead. When I rewrote the compiler last year to make it generally one pass, I noticed a lot of the cases where a node was added didn't check if the result overflowed (the function that does this returns FALSE in that case). I presumed the prior authors knew better, and did not change things, except to put in a bogus value in the link (offset) field that should cause a crash if it were used. That's what's happening in this ticket. But seeing this example, it's clear that the return value should be checked every time, because you can reach the limit at any time. This commit changes to do that, and to require the function's return value to not be ignored, to guard against future changes. My guess is that the reason it generally worked when there were multiple passes is that the first pass didn't do anything except count space, and that at some point before the end of the pass the return value did get checked, so by the time the nodes were allocated for real, it knew enough to use the long jumps. (cherry picked from commit 3b2e562)
- Loading branch information
1 parent
284d721
commit 9067ea0
Showing
5 changed files
with
88 additions
and
34 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Binary file not shown.