Fix out-of-bound read in case of unmatched regexp backreference

2017-01-20 10:37:35 +01:00 · 2017-01-20 10:37:35 +01:00 · 7123c928a4
commit 7123c928a4
parent abd9ed8e7e
2 changed files with 114 additions and 0 deletions
--- a/perl-5.24.1-perl-129377-don-t-read-past-start-of-string-for-unma.patch
+++ b/perl-5.24.1-perl-129377-don-t-read-past-start-of-string-for-unma.patch
@ -0,0 +1,107 @@
 From a08fa6fd157fd0d61da7f20f07b939fbc302c2c6 Mon Sep 17 00:00:00 2001
 From: Hugo van der Sanden <hv@crypt.org>
 Date: Wed, 5 Oct 2016 12:56:05 +0100
 Subject: [PATCH] [perl #129377] don't read past start of string for unmatched
 backref
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Ported to 5.24.1:
 commit 2dfc11ec3af312f4fa3eb244077c79dbb5fc2d85
 Author: Hugo van der Sanden <hv@crypt.org>
 Date:   Wed Oct 5 12:56:05 2016 +0100
    [perl #129377] don't read past start of string for unmatched backref
    We can have (start, end) == (0, -1) for an unmatched backref, we must
    check for that.
 Signed-off-by: Petr Písař <ppisar@redhat.com>
 ---
 regexec.c  | 10 ++++++----
 t/re/pat.t | 16 +++++++++++++++-
 2 files changed, 21 insertions(+), 5 deletions(-)
 diff --git a/regexec.c b/regexec.c
 index a5d5db4..a7bc0c3 100644
 --- a/regexec.c
 +++ b/regexec.c
@@ -5179,6 +5179,7 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
     regnode *next;
     U32 n = 0;	/* general value; init to avoid compiler warning */
     SSize_t ln = 0; /* len or last;  init to avoid compiler warning */
 +    SSize_t endref = 0; /* offset of end of backref when ln is start */
     char *locinput = startpos;
     char *pushinput; /* where to continue after a PUSH */
     I32 nextchr;   /* is always set to UCHARAT(locinput), or -1 at EOS */
@@ -6489,10 +6490,11 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
 	  do_nref_ref_common:
 	    ln = rex->offs[n].start;
 +	    endref = rex->offs[n].end;
 	    reginfo->poscache_iter = reginfo->poscache_maxiter; /* Void cache */
 -	    if (rex->lastparen < n || ln == -1)
 +	    if (rex->lastparen < n || ln == -1 || endref == -1)
 		sayNO;			/* Do not match unless seen CLOSEn. */
 -	    if (ln == rex->offs[n].end)
 +	    if (ln == endref)
 		break;
 	    s = reginfo->strbeg + ln;
@@ -6506,7 +6508,7 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
                     * not going off the end given by reginfo->strend, and
                     * returns in <limit> upon success, how much of the
                     * current input was matched */
 -		if (! foldEQ_utf8_flags(s, NULL, rex->offs[n].end - ln, utf8_target,
 +		if (! foldEQ_utf8_flags(s, NULL, endref - ln, utf8_target,
 				    locinput, &limit, 0, utf8_target, utf8_fold_flags))
 		{
 		    sayNO;
@@ -6521,7 +6523,7 @@ S_regmatch(pTHX_ regmatch_info *reginfo, char *startpos, regnode *prog)
 		(type == REF ||
 		 UCHARAT(s) != fold_array[nextchr]))
 		sayNO;
 -	    ln = rex->offs[n].end - ln;
 +	    ln = endref - ln;
 	    if (locinput + ln > reginfo->strend)
 		sayNO;
 	    if (ln > 1 && (type == REF
 diff --git a/t/re/pat.t b/t/re/pat.t
 index 4aa77cf..749edd0 100644
 --- a/t/re/pat.t
 +++ b/t/re/pat.t
@@ -23,7 +23,7 @@ BEGIN {
     skip_all_without_unicode_tables();
 }
 -plan tests => 791;  # Update this when adding/deleting tests.
 +plan tests => 792;  # Update this when adding/deleting tests.
 run_tests() unless caller;
@@ -1765,6 +1765,20 @@ EOP
             utf8::upgrade($str);
             ok( $str =~ m{^(a|a\x{e4})$}, "fix [perl #129950] - utf8 case" );
         }
 +    {
 +	# [perl #129377] backref to an unmatched capture should not cause
 +	# reading before start of string.
 +	SKIP: {
 +	    skip "no re-debug under miniperl" if is_miniperl;
 +	    my $prog = <<'EOP';
 +use re qw(Debug EXECUTE);
 +"x" =~ m{ () y | () \1 }x;
 +EOP
 +	    fresh_perl_like($prog, qr{
 +		\A (?! .* ^ \s+ - )
 +	    }msx, { stderr => 1 }, "Offsets in debug output are not negative");
 +	}
 +    }
 } # End of sub run_tests
 1;
 -- 
 2.7.4
--- a/perl.spec
+++ b/perl.spec
@ -252,6 +252,10 @@ Patch69:        perl-5.24.1-perl-129125-copy-form-data-if-it-might-be-freed.patc
 # transliteration expression, RT#129342, in upstream after 5.25.8
 Patch70:        perl-5.24.1-perl-129342-ensure-range-start-is-set-after-error-in.patch
 # Fix out-of-bound read in case of unmatched regexp backreference, RT#129377,
 # in upstream after 5.25.8
 Patch71:        perl-5.24.1-perl-129377-don-t-read-past-start-of-string-for-unma.patch
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2946,6 +2950,7 @@ Perl extension for Version Objects
 %patch68 -p1
 %patch69 -p1
 %patch70 -p1
 %patch71 -p1
 %patch200 -p1
 %patch201 -p1
@ -3004,6 +3009,7 @@ perl -x patchlevel.h \
    'Fedora Patch67: Fix a heap overflow with pack "W" (RT129149)' \
    'Fedora Patch69: Fix a use-after-free when processing scalar variables in forms (RT#129125)' \
    'Fedora Patch70: Fix a heap overflow if invalid octal or hexadecimal number is used in transliteration expression (RT#129342)' \
    'Fedora Patch71: Fix out-of-bound read in case of unmatched regexp backreference (RT#129377)' \
    'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
    'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
    %{nil}
@ -5286,6 +5292,7 @@ popd
 - Fix a use-after-free when processing scalar variables in forms (RT#129125)
 - Fix a heap overflow if invalid octal or hexadecimal number is used in
  transliteration expression (RT#129342)
 - Fix out-of-bound read in case of unmatched regexp backreference (RT#129377)
 * Mon Jan 16 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.24.1-385
 - 5.24.1 bump (see <http://search.cpan.org/dist/perl-5.24.1/pod/perldelta.pod>