This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
Revert "PATCH: (perl #132227 CVE-2018-6797] heap-buffer-overflow"
authorKarl Williamson <khw@cpan.org>
Tue, 17 Apr 2018 03:12:03 +0000 (21:12 -0600)
committerKarl Williamson <khw@cpan.org>
Tue, 17 Apr 2018 04:33:49 +0000 (22:33 -0600)
This reverts commit 2407a17ad5d780a1625dddfb668056ab05459194.

It turns out that I applied the wrong patch, which was a preliminary one
that did not solve the entire problem.  The next commit will apply a
correct fix, with test.

regcomp.c

index 374131c..4e72589 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -13925,24 +13925,11 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
                      * is_PROBLEMATIC_LOCALE_FOLD_cp) */
                     if (! IS_IN_SOME_FOLD_L1(ender)) {
 
-                        /* See if the character's fold differs between /d and
-                         * /u.  This includes the multi-char fold SHARP S to
-                         * 'ss' */
-                        if (UNLIKELY(ender == LATIN_SMALL_LETTER_SHARP_S)) {
-
-                            /* If the node started out having uni rules, we
-                             * wouldn't have gotten here.  So this means
-                             * something in the middle has changed it, but
-                             * didn't think it needed to reparse.  But this
-                             * sharp s now does indicate the need for
-                             * reparsing. */
-                            if (RExC_uni_semantics) {
-                                p = oldp;
-                                goto loopdone;
-                            }
-
-                            RExC_seen_unfolded_sharp_s = 1;
-                            maybe_exactfu = FALSE;
+                        /* Start a new node for this non-folding character if
+                         * previous ones in the node were folded */
+                        if (len && node_type != EXACT) {
+                            p = oldp;
+                            goto loopdone;
                         }
 
                         *(s++) = (char) ender;