Fix a buffer overflow when studying some regexps repeatedly

This commit is contained in:
Petr Písař 2017-02-10 11:34:04 +01:00
parent b79329e9cf
commit 2fa0b0b374
3 changed files with 128 additions and 0 deletions

View File

@ -0,0 +1,49 @@
From 92f8cd4e7b0ff3d09162139e3c99b1d9310bca81 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 10 Oct 2016 10:46:46 +1100
Subject: [PATCH] (perl #129281) test for buffer overflow issue
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported to 5.24.1:
commit d2ba660af00f1bf2e7012741615eff7c19f29707
Author: Tony Cook <tony@develop-help.com>
Date: Mon Oct 10 10:46:46 2016 +1100
(perl #129281) test for buffer overflow issue
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
t/re/pat.t | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/t/re/pat.t b/t/re/pat.t
index 749edd0..7b8e6f7 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -23,7 +23,7 @@ BEGIN {
skip_all_without_unicode_tables();
}
-plan tests => 792; # Update this when adding/deleting tests.
+plan tests => 793; # Update this when adding/deleting tests.
run_tests() unless caller;
@@ -1779,6 +1779,11 @@ EOP
}msx, { stderr => 1 }, "Offsets in debug output are not negative");
}
}
+ {
+ # [perl #129281] buffer write overflow, detected by ASAN, valgrind
+ local $::TODO = "whilem_c bumped too much";
+ fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much");
+ }
} # End of sub run_tests
1;
--
2.7.4

View File

@ -0,0 +1,69 @@
From 42e9b60980bb8e29e76629e14c6aa945194c0647 Mon Sep 17 00:00:00 2001
From: Hugo van der Sanden <hv@crypt.org>
Date: Wed, 5 Oct 2016 02:20:26 +0100
Subject: [PATCH] [perl #129061] CURLYX nodes can be studied more than once
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
study_chunk() for CURLYX is used to set flags on the linked WHILEM
node to say it is the whilem_c'th of whilem_seen. However it assumes
each CURLYX can be studied only once, which is not the case - there
are various cases such as GOSUB which call study_chunk() recursively
on already-visited parts of the program.
Storing the wrong index can cause the super-linear cache handling in
regmatch() to read/write the byte after the end of poscache.
Also reported in [perl #129281].
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
regcomp.c | 12 +++++++++---
t/re/pat.t | 1 -
2 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/regcomp.c b/regcomp.c
index 850a6c1..48c8d8d 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5218,15 +5218,21 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
However, this time it's not a subexpression
we care about, but the expression itself. */
&& (maxcount == REG_INFTY)
- && data && ++data->whilem_c < 16) {
+ && data) {
/* This stays as CURLYX, we can put the count/of pair. */
/* Find WHILEM (as in regexec.c) */
regnode *nxt = oscan + NEXT_OFF(oscan);
if (OP(PREVOPER(nxt)) == NOTHING) /* LONGJMP */
nxt += ARG(nxt);
- PREVOPER(nxt)->flags = (U8)(data->whilem_c
- | (RExC_whilem_seen << 4)); /* On WHILEM */
+ nxt = PREVOPER(nxt);
+ if (nxt->flags & 0xf) {
+ /* we've already set whilem count on this node */
+ } else if (++data->whilem_c < 16) {
+ assert(data->whilem_c <= RExC_whilem_seen);
+ nxt->flags = (U8)(data->whilem_c
+ | (RExC_whilem_seen << 4)); /* On WHILEM */
+ }
}
if (data && fl & (SF_HAS_PAR|SF_IN_PAR))
pars++;
diff --git a/t/re/pat.t b/t/re/pat.t
index ecd3af1..16bfc8e 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -1909,7 +1909,6 @@ EOP
}
{
# [perl #129281] buffer write overflow, detected by ASAN, valgrind
- local $::TODO = "whilem_c bumped too much";
fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much");
}
} # End of sub run_tests
--
2.7.4

View File

@ -287,6 +287,11 @@ Patch81: perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif
# in upstream after 5.25.9
Patch82: perl-5.24.1-buffer-overrun-with-format-and-use-bytes.patch
# Fix a buffer overflow when studying some regexps repeatedly,
# RT#129281, RT#129061, un upstream after 5.25.9
Patch83: perl-5.24.1-perl-129281-test-for-buffer-overflow-issue.patch
Patch84: perl-5.25.9-perl-129061-CURLYX-nodes-can-be-studied-more-than-on.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2997,6 +3002,8 @@ popd
%patch80 -p1
%patch81 -p1
%patch82 -p1
%patch83 -p1
%patch84 -p1
%patch200 -p1
%patch201 -p1
@ -3064,6 +3071,7 @@ perl -x patchlevel.h \
'Fedora Patch77: Adapt tests to zlib-1.2.11 (CPAN RT#119762)' \
'Fedora Patch79: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \
'Fedora Patch82: Fix a buffer overrun with format and "use bytes" (RT#130703)' \
'Fedora Patch83: Fix a buffer overflow when studying some regexps repeatedly (RT#129281, RT#129061)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil}
@ -5344,6 +5352,8 @@ popd
- Adapt tests to zlib-1.2.11 (bug #1420326)
- Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)
- Fix a buffer overrun with format and "use bytes" (RT#130703)
- Fix a buffer overflow when studying some regexps repeatedly
(RT#129281, RT#129061)
* Thu Jan 26 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-387
- Fix UTF-8 string handling in & operator (RT#129287)