'[perl.git] branch blead, updated. v5.25.6-136-g26fb231'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       perl5-changes
Subject:    [perl.git]  branch blead, updated. v5.25.6-136-g26fb231
From:       Tony Cook <tony () develop-help ! com>
Date:       2016-10-31 4:55:13
Message-ID: E1c14cr-0001Fy-Hu () camel-001 ! ams6 ! corp ! booking ! com
[Download RAW message or body]

In perl.git, the branch blead has been updated

<http://perl5.git.perl.org/perl.git/commitdiff/26fb2318c4fffb51517349273992c3b9514d0d67?hp=856bb39c27416e4cb179e60a2b67ab0810baf7c3>


- Log -----------------------------------------------------------------
commit 26fb2318c4fffb51517349273992c3b9514d0d67
Author: Tony Cook <tony@develop-help.com>
Date:   Mon Aug 29 15:04:55 2016 +1000

    (perl #129085) avoid memcmp() past the end of a string
    
    When a match is anchored against the start of a string, the regexp
    can be compiled to include a fixed string match against a fixed
    offset in the string.
    
    In some cases, where the matched against string included UTF-8 before
    the fixed offset, this could result in attempting a memcmp() which
    overlaps the end of the string and potentially past the end of the
    allocated memory.
-----------------------------------------------------------------------

Summary of changes:
 regexec.c            | 5 +++--
 t/re/pat_rt_report.t | 9 ++++++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/regexec.c b/regexec.c
index 1d8e33a..aca490e 100644
--- a/regexec.c
+++ b/regexec.c
@@ -813,8 +813,9 @@ Perl_re_intuit_start(pTHX_
                     /* Now should match s[0..slen-2] */
                     slen--;
                 }
-                if (slen && (*SvPVX_const(check) != *s
-                    || (slen > 1 && memNE(SvPVX_const(check), s, slen))))
+                if (slen && (strend - s < slen
+                    || *SvPVX_const(check) != *s
+                    || (slen > 1 && (memNE(SvPVX_const(check), s, slen)))))
                 {
                     DEBUG_EXECUTE_r(Perl_re_printf( aTHX_
                                     "  String not equal...\n"));
diff --git a/t/re/pat_rt_report.t b/t/re/pat_rt_report.t
index addb3e2..bee1b19 100644
--- a/t/re/pat_rt_report.t
+++ b/t/re/pat_rt_report.t
@@ -20,7 +20,7 @@ use warnings;
 use 5.010;
 use Config;
 
-plan tests => 2501;  # Update this when adding/deleting tests.
+plan tests => 2502;  # Update this when adding/deleting tests.
 
 run_tests() unless caller;
 
@@ -1123,6 +1123,13 @@ EOP
         ok($s !~ /00000?\x80\x80\x80/, "RT #129012");
     }
 
+    {
+        # RT #129085 heap-buffer-overflow Perl_re_intuit_start
+        # this did fail under ASAN, but didn't under valgrind
+        my $s = "\x{f2}\x{140}\x{fe}\x{ff}\x{ff}\x{ff}";
+        ok($s !~ /^0000.\34500\376\377\377\377/, "RT #129085");
+    }
+
 } # End of sub run_tests
 
 1;

--
Perl5 Master Repository


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic