89 lines
3.7 KiB
Diff
89 lines
3.7 KiB
Diff
From 90f66c42e4513ae5d907805fbf28b9967a90d6c5 Mon Sep 17 00:00:00 2001
|
|
From: John Lightsey <john@04755.net>
|
|
Date: Fri, 28 Aug 2020 23:39:18 -0500
|
|
Subject: [PATCH] Heap buffer overflow in regex bracket group whitespace
|
|
handling
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
The code for skipping whitespace in regex bracket character groups
|
|
was walking past the end of the regex in some cases.
|
|
|
|
Signed-off-by: Petr Písař <ppisar@redhat.com>
|
|
---
|
|
regcomp.c | 16 ++++++++--------
|
|
1 file changed, 8 insertions(+), 8 deletions(-)
|
|
|
|
diff --git a/regcomp.c b/regcomp.c
|
|
index db82c77b00..64488994fa 100644
|
|
--- a/regcomp.c
|
|
+++ b/regcomp.c
|
|
@@ -17228,10 +17228,10 @@ S_add_multi_match(pTHX_ AV* multi_char_matches, SV* multi_string, const STRLEN c
|
|
*
|
|
* There is a line below that uses the same white space criteria but is outside
|
|
* this macro. Both here and there must use the same definition */
|
|
-#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p) \
|
|
+#define SKIP_BRACKETED_WHITE_SPACE(do_skip, p, stop_p) \
|
|
STMT_START { \
|
|
if (do_skip) { \
|
|
- while (isBLANK_A(UCHARAT(p))) \
|
|
+ while (p < stop_p && isBLANK_A(UCHARAT(p))) \
|
|
{ \
|
|
p++; \
|
|
} \
|
|
@@ -17406,7 +17406,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
|
|
initial_listsv_len = SvCUR(listsv);
|
|
SvTEMP_off(listsv); /* Grr, TEMPs and mortals are conflated. */
|
|
|
|
- SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
|
|
+ SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
|
|
|
|
assert(RExC_parse <= RExC_end);
|
|
|
|
@@ -17415,7 +17415,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
|
|
invert = TRUE;
|
|
allow_mutiple_chars = FALSE;
|
|
MARK_NAUGHTY(1);
|
|
- SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
|
|
+ SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
|
|
}
|
|
|
|
/* Check that they didn't say [:posix:] instead of [[:posix:]] */
|
|
@@ -17462,12 +17462,12 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
|
|
output_posix_warnings(pRExC_state, posix_warnings);
|
|
}
|
|
|
|
+ SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
|
|
+
|
|
if (RExC_parse >= stop_ptr) {
|
|
break;
|
|
}
|
|
|
|
- SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
|
|
-
|
|
if (UCHARAT(RExC_parse) == ']') {
|
|
break;
|
|
}
|
|
@@ -18156,7 +18156,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
|
|
}
|
|
} /* end of namedclass \blah */
|
|
|
|
- SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse);
|
|
+ SKIP_BRACKETED_WHITE_SPACE(skip_white, RExC_parse, RExC_end);
|
|
|
|
/* If 'range' is set, 'value' is the ending of a range--check its
|
|
* validity. (If value isn't a single code point in the case of a
|
|
@@ -18199,7 +18199,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
|
|
char* next_char_ptr = RExC_parse + 1;
|
|
|
|
/* Get the next real char after the '-' */
|
|
- SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr);
|
|
+ SKIP_BRACKETED_WHITE_SPACE(skip_white, next_char_ptr, RExC_end);
|
|
|
|
/* If the '-' is at the end of the class (just before the ']',
|
|
* it is a literal minus; otherwise it is a range */
|
|
--
|
|
2.25.4
|
|
|