This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
avoid reading/writing beyond the end of RExC_(open|close)_parens
authorTony Cook <tony@develop-help.com>
Mon, 7 Mar 2016 03:58:38 +0000 (14:58 +1100)
committerTony Cook <tony@develop-help.com>
Mon, 7 Mar 2016 03:58:38 +0000 (14:58 +1100)
Partly reverts d5a00e4af, which added this change:

-        for ( paren=0 ; paren < RExC_npar ; paren++ ) {
+        for ( paren=0 ; paren <= RExC_npar ; paren++ ) {

but RExC_(open|close)_parens are both allocated with RExC_npar entries,
making this a read/write buffer overflow.

This caused crashes during the build with GCC on Win32, and was
detectable with valgrind and -fsanitize=address on Linux.

With the change, passes all tests with -fsanitize=address -DDEBUGGING
on Linux and finishes the build with GCC on Win32.

regcomp.c

index 18d4364..916f9ba 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -18214,7 +18214,7 @@ S_reginsert(pTHX_ RExC_state_t *pRExC_state, U8 op, regnode *opnd, U32 depth)
     if (RExC_open_parens) {
         int paren;
         /*DEBUG_PARSE_FMT("inst"," - %"IVdf, (IV)RExC_npar);*/
-        for ( paren=0 ; paren <= RExC_npar ; paren++ ) {
+        for ( paren=0 ; paren < RExC_npar ; paren++ ) {
             if ( RExC_open_parens[paren] >= opnd ) {
                 /*DEBUG_PARSE_FMT("open"," - %d",size);*/
                 RExC_open_parens[paren] += size;