This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
regmatch(): fix out bounds array access
authorDavid Mitchell <davem@iabyn.com>
Fri, 19 Oct 2012 09:14:56 +0000 (10:14 +0100)
committerDavid Mitchell <davem@iabyn.com>
Fri, 19 Oct 2012 09:50:22 +0000 (10:50 +0100)
The code for EXACTF and similar tests that

    UCHARAT(s) != fold_array[nextchr]

but doesn't check first that nextchr != NEXTCHR_EOS (-10), so it can
access the byte 10 bytes before the start of one of the PL_fold_latin1 or
similar arrays. Although undesirable, it's harmless, as the worst it can
achieve is a false positive match of the first char of the EXACTF string,
which will then still fail on a full compare of the string.

regexec.c

index 0ee1c5a..8ee8a8f 100644 (file)
--- a/regexec.c
+++ b/regexec.c
@@ -4206,8 +4206,9 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
            }
 
            /* Neither the target nor the pattern are utf8 */
-           if (UCHARAT(s) != nextchr &&
-               UCHARAT(s) != fold_array[nextchr])
+           if (UCHARAT(s) != nextchr
+                && !NEXTCHR_IS_EOS
+               && UCHARAT(s) != fold_array[nextchr])
            {
                sayNO;
            }