This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
(perl #129085) avoid memcmp() past the end of a string
authorTony Cook <tony@develop-help.com>
Mon, 29 Aug 2016 05:04:55 +0000 (15:04 +1000)
committerTony Cook <tony@develop-help.com>
Mon, 31 Oct 2016 04:35:51 +0000 (15:35 +1100)
When a match is anchored against the start of a string, the regexp
can be compiled to include a fixed string match against a fixed
offset in the string.

In some cases, where the matched against string included UTF-8 before
the fixed offset, this could result in attempting a memcmp() which
overlaps the end of the string and potentially past the end of the
allocated memory.

regexec.c
t/re/pat_rt_report.t

index 1d8e33a..aca490e 100644 (file)
--- a/regexec.c
+++ b/regexec.c
@@ -813,8 +813,9 @@ Perl_re_intuit_start(pTHX_
                     /* Now should match s[0..slen-2] */
                     slen--;
                 }
-                if (slen && (*SvPVX_const(check) != *s
-                    || (slen > 1 && memNE(SvPVX_const(check), s, slen))))
+                if (slen && (strend - s < slen
+                    || *SvPVX_const(check) != *s
+                    || (slen > 1 && (memNE(SvPVX_const(check), s, slen)))))
                 {
                     DEBUG_EXECUTE_r(Perl_re_printf( aTHX_
                                     "  String not equal...\n"));
index addb3e2..bee1b19 100644 (file)
@@ -20,7 +20,7 @@ use warnings;
 use 5.010;
 use Config;
 
-plan tests => 2501;  # Update this when adding/deleting tests.
+plan tests => 2502;  # Update this when adding/deleting tests.
 
 run_tests() unless caller;
 
@@ -1123,6 +1123,13 @@ EOP
         ok($s !~ /00000?\x80\x80\x80/, "RT #129012");
     }
 
+    {
+        # RT #129085 heap-buffer-overflow Perl_re_intuit_start
+        # this did fail under ASAN, but didn't under valgrind
+        my $s = "\x{f2}\x{140}\x{fe}\x{ff}\x{ff}\x{ff}";
+        ok($s !~ /^0000.\34500\376\377\377\377/, "RT #129085");
+    }
+
 } # End of sub run_tests
 
 1;