From 83a50fdcff94db9ec636bb99e42a8d837d3920c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Fri, 10 Feb 2017 10:58:17 +0100
Subject: [PATCH] Fix a crash when compiling a regexp with impossible
 quantifiers

---
 ...cursion-and-optimising-away-impossib.patch | 93 +++++++++++++++++++
 ...s-with-NEXT_OFF-when-we-are-in-PASS2.patch | 38 ++++++++
 ...-from-tests-about-impossible-quantif.patch | 34 +++++++
 perl.spec                                     | 11 +++
 4 files changed, 176 insertions(+)
 create mode 100644 perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib.patch
 create mode 100644 perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch
 create mode 100644 perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch

diff --git a/perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib.patch b/perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib.patch
new file mode 100644
index 0000000..2a2e6b2
--- /dev/null
+++ b/perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib.patch
@@ -0,0 +1,93 @@
+From fbb9dc823a06b4815ee8fd8632fc475b8034e379 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Fri, 27 Jan 2017 10:18:51 +0100
+Subject: [PATCH] fix RT #130561 - recursion and optimising away impossible
+ quantifiers are not friends
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Ported to 5.24.1:
+
+commit 31fc93954d1f379c7a49889d91436ce99818e1f6
+Author: Yves Orton <demerphq@gmail.com>
+Date:   Fri Jan 27 10:18:51 2017 +0100
+
+    fix RT #130561 - recursion and optimising away impossible quantifiers are not friends
+
+    Instead of optimising away impossible quantifiers like (foo){1,0} treat them
+    as unquantified, and guard them with an OPFAIL. Thus /(foo){1,0}/ is treated
+    the same as /(*FAIL)(foo)/ this is important in patterns like /(foo){1,0}|(?1)/
+    where the (?1) needs to be able to recurse into the (foo) even though the
+    (foo){1,0} can never match. It also resolves various issues (SEGVs) with patterns
+    like /((?1)){1,0}/.
+
+    This patch would have been easier if S_reginsert() documented that it is
+    the callers responsibility to properly set up the NEXT_OFF() of the inserted
+    node (if the node has a NEXT_OFF())
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regcomp.c            | 14 +++-----------
+ t/re/pat_rt_report.t | 11 ++++++++++-
+ 2 files changed, 13 insertions(+), 12 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index bcb8db5..9f343d3 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11497,19 +11497,11 @@ S_regpiece(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ 	    nextchar(pRExC_state);
+             if (max < min) {    /* If can't match, warn and optimize to fail
+                                    unconditionally */
+-                if (SIZE_ONLY) {
+-
+-                    /* We can't back off the size because we have to reserve
+-                     * enough space for all the things we are about to throw
+-                     * away, but we can shrink it by the amount we are about
+-                     * to re-use here */
+-                    RExC_size += PREVOPER(RExC_size) - regarglen[(U8)OPFAIL];
+-                }
+-                else {
++                if (PASS2) {
+                     ckWARNreg(RExC_parse, "Quantifier {n,m} with n > m can't match");
+-                    RExC_emit = orig_emit;
+                 }
+-                ret = reganode(pRExC_state, OPFAIL, 0);
++                reginsert(pRExC_state, OPFAIL, orig_emit, depth+1);
++                NEXT_OFF(orig_emit)= regarglen[OPFAIL] + NODE_STEP_REGNODE;
+                 return ret;
+             }
+             else if (min == max && *RExC_parse == '?')
+diff --git a/t/re/pat_rt_report.t b/t/re/pat_rt_report.t
+index cb02ad2..2c1dbc4 100644
+--- a/t/re/pat_rt_report.t
++++ b/t/re/pat_rt_report.t
+@@ -20,7 +20,7 @@ use warnings;
+ use 5.010;
+ use Config;
+ 
+-plan tests => 2500;  # Update this when adding/deleting tests.
++plan tests => 2502;  # Update this when adding/deleting tests.
+ 
+ run_tests() unless caller;
+ 
+@@ -1113,6 +1113,15 @@ EOP
+ 	my $s = "\x{1ff}" . "f" x 32;
+ 	ok($s =~ /\x{1ff}[[:alpha:]]+/gca, "POSIXA pointer wrap");
+     }
++    {
++        # rt
++        fresh_perl_is(
++            '"foo"=~/((?1)){8,0}/; print "ok"',
++            "ok", {},  'RT #130561 - allowing impossible quantifier should not cause SEGVs');
++        my $s= "foo";
++        ok($s=~/(foo){1,0}|(?1)/,
++            "RT #130561 - allowing impossible quantifier should not break recursion");
++    }
+ } # End of sub run_tests
+ 
+ 1;
+-- 
+2.7.4
+
diff --git a/perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch b/perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch
new file mode 100644
index 0000000..1eb9183
--- /dev/null
+++ b/perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch
@@ -0,0 +1,38 @@
+From bb78386f13c18a1a7dae932b9b36e977056b13c7 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Fri, 27 Jan 2017 16:57:40 +0100
+Subject: [PATCH] only mess with NEXT_OFF() when we are in PASS2
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+In 31fc93954d1f379c7a49889d91436ce99818e1f6 I added code that would modify
+NEXT_OFF() when we were not in PASS2, when we should not do so. Strangly this
+did not segfault when I tested, but this fix is required.
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ regcomp.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 322d230..d5ce63f 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -11709,11 +11709,11 @@ S_regpiece(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+ 	    nextchar(pRExC_state);
+             if (max < min) {    /* If can't match, warn and optimize to fail
+                                    unconditionally */
++                reginsert(pRExC_state, OPFAIL, orig_emit, depth+1);
+                 if (PASS2) {
+                     ckWARNreg(RExC_parse, "Quantifier {n,m} with n > m can't match");
++                    NEXT_OFF(orig_emit)= regarglen[OPFAIL] + NODE_STEP_REGNODE;
+                 }
+-                reginsert(pRExC_state, OPFAIL, orig_emit, depth+1);
+-                NEXT_OFF(orig_emit)= regarglen[OPFAIL] + NODE_STEP_REGNODE;
+                 return ret;
+             }
+             else if (min == max && *RExC_parse == '?')
+-- 
+2.7.4
+
diff --git a/perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch b/perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch
new file mode 100644
index 0000000..2cfe7ed
--- /dev/null
+++ b/perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch
@@ -0,0 +1,34 @@
+From 923e23bad0514e1bd29112650fb78aa4ea69e1b7 Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Sat, 28 Jan 2017 15:13:17 +0100
+Subject: [PATCH] silence warnings from tests about impossible quantifiers
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+thanks to Dave M for noticing....
+
+Signed-off-by: Petr Písař <ppisar@redhat.com>
+---
+ t/re/pat_rt_report.t | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/t/re/pat_rt_report.t b/t/re/pat_rt_report.t
+index 21aff58..dd740e7 100644
+--- a/t/re/pat_rt_report.t
++++ b/t/re/pat_rt_report.t
+@@ -1134,9 +1134,10 @@ EOP
+     {
+         # rt
+         fresh_perl_is(
+-            '"foo"=~/((?1)){8,0}/; print "ok"',
++            'no warnings "regexp"; "foo"=~/((?1)){8,0}/; print "ok"',
+             "ok", {},  'RT #130561 - allowing impossible quantifier should not cause SEGVs');
+         my $s= "foo";
++        no warnings 'regexp';
+         ok($s=~/(foo){1,0}|(?1)/,
+             "RT #130561 - allowing impossible quantifier should not break recursion");
+     }
+-- 
+2.7.4
+
diff --git a/perl.spec b/perl.spec
index e51e719..8ddbdb6 100644
--- a/perl.spec
+++ b/perl.spec
@@ -277,6 +277,12 @@ Patch76:        perl-5.24.1-perl-129274-avoid-treating-the-in-as-a-comment-intro
 Patch77:        Compress-Raw-Zlib-2.071-Adapt-tests-to-zlib-1.2.11.patch
 Patch78:        IO-Compress-2.070-Adapt-tests-to-zlib-1.2.11.patch
 
+# Fix a crash when compiling a regexp with impossible quantifiers, RT#130561,
+# in upstream after 5.25.9
+Patch79:        perl-5.24.1-fix-RT-130561-recursion-and-optimising-away-impossib.patch
+Patch80:        perl-5.25.9-only-mess-with-NEXT_OFF-when-we-are-in-PASS2.patch
+Patch81:        perl-5.25.9-silence-warnings-from-tests-about-impossible-quantif.patch
+
 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
 Patch200:       perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
 
@@ -2983,6 +2989,9 @@ popd
 pushd cpan/IO-Compress
 %patch78 -p1
 popd
+%patch79 -p1
+%patch80 -p1
+%patch81 -p1
 %patch200 -p1
 %patch201 -p1
 
@@ -3048,6 +3057,7 @@ perl -x patchlevel.h \
     'Fedora Patch75: Fix parsing goto statements in multicalled subroutine (RT#113938)' \
     'Fedora Patch76: Fix a heap overlow in parsing $# (RT#129274)' \
     'Fedora Patch77: Adapt tests to zlib-1.2.11 (CPAN RT#119762)' \
+    'Fedora Patch79: Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)' \
     'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
     'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
     %{nil}
@@ -5326,6 +5336,7 @@ popd
 %changelog
 * Fri Feb 10 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-388
 - Adapt tests to zlib-1.2.11 (bug #1420326)
+- Fix a crash when compiling a regexp with impossible quantifiers (RT#130561)
 
 * Thu Jan 26 2017 Petr Pisar <ppisar@redhat.com> - 4:5.24.1-387
 - Fix UTF-8 string handling in & operator (RT#129287)