This is a live mirror of the Perl 5 development currently hosted at https://github.com/perl/perl5
prevent integer overflow when compiling a regexp
authorTony Cook <tony@develop-help.com>
Mon, 14 Aug 2017 05:10:22 +0000 (15:10 +1000)
committerZefram <zefram@fysh.org>
Wed, 6 Dec 2017 22:07:56 +0000 (22:07 +0000)
Fixes [perl #131893].

regcomp.c
t/re/pat.t

index fcedc36..c01fec6 100644 (file)
--- a/regcomp.c
+++ b/regcomp.c
@@ -5941,8 +5941,12 @@ Perl_re_printf( aTHX_  "LHS=%" UVuf " RHS=%" UVuf "\n",
                     data->cur_is_floating = 1; /* float */
             }
             min += min1;
-            if (delta != SSize_t_MAX)
-                delta += max1 - min1;
+            if (delta != SSize_t_MAX) {
+                if (SSize_t_MAX - (max1 - min1) >= delta)
+                    delta += max1 - min1;
+                else
+                    delta = SSize_t_MAX;
+            }
             if (flags & SCF_DO_STCLASS_OR) {
                 ssc_or(pRExC_state, data->start_class, (regnode_charclass *) &accum);
                 if (min1) {
index 66fe6f3..27d9833 100644 (file)
@@ -23,7 +23,7 @@ BEGIN {
     skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
     skip_all_without_unicode_tables();
 
-plan tests => 844;  # Update this when adding/deleting tests.
+plan tests => 845;  # Update this when adding/deleting tests.
 
 run_tests() unless caller;
 
@@ -1921,6 +1921,10 @@ EOP
         # [perl #129281] buffer write overflow, detected by ASAN, valgrind
         fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much");
     }
+    {
+        # RT #131893 - fails with ASAN -fsanitize=undefined
+        fresh_perl_is('qr/0(0?(0||00*))|/', '', {}, "integer overflow during compilation");
+    }
 
     {
         # RT #131575 intuit skipping back from the end to find the highest