This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
avoid use-after free in /(?{...})/
authorDavid Mitchell <davem@iabyn.com>
Wed, 19 Jun 2019 12:03:22 +0000 (13:03 +0100)
committerDavid Mitchell <davem@iabyn.com>
Tue, 6 Aug 2019 14:21:15 +0000 (15:21 +0100)
commit1d48e83dd8863e78e8422ed502d9b2f3199193f5
tree9aa557ddb1d04d714383cf8d14243ad8f672036d
parent1d84a25665013f389ffc6fad7dd133f1c6287a08
avoid use-after free in /(?{...})/

RT #134208

In something like

    eval { sub { " " }->() =~ /(?{ die })/ }

When the match string gets aliased to $_, the SAVE_DEFSV is done after the
SAVEDESTRUCTOR_X(S_cleanup_regmatch_info_aux).  So if croaking, the SV
gets SvREFCNT_dec()ed by the SAVE_DEFSV, then S_cleanup_regmatch_info_aux()
manipulates the SV's magic.

This doesn't cause a problem unless the match string is temporary, in
which case the only other reference keeping it alive will be removed
by the FREETMPs during the croak.

The fix is to make sure an extra ref to the sv is held.
regexec.c
regexp.h
t/re/pat_re_eval.t