Fix a memory leak when cloning a regular expression

This commit is contained in:
Petr Písař 2019-04-05 16:35:26 +02:00
parent 024cd9ef0d
commit bf70c3addf
2 changed files with 65 additions and 0 deletions

View File

@ -0,0 +1,59 @@
From 75bb5aa48dfcf930533cd069393fc8a45e4ece18 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Fri, 22 Mar 2019 12:31:57 +0000
Subject: [PATCH] fix leak in cloned regexes.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When a regex is cloned for a new thread, the string buffer (which holds
the text of the original pattern) wasn't being freed because SvLEN was
being set to 0.
For example:
use threads;
my $r = qr/abc/;
threads->new( sub { 1; })->join;
In the new thread, $r is cloned but when the thread exits, the string
buffer holding "(?^:abc)" was leaking.
This was broken by v5.27.2-30-gdf6b4bd565.
The problem was that in the cloned SV, the buffer was copied, but the
SvLEN(sv) was left set at zero, which along with the SVf_FAKE, mader it
look like the buffer was alien and so not freed.
SvLEN was 0 in the parent thread's $r, since $r and its compile-time
prototype share the same string buffer (so only the original SV has
SvLEN > 0 - all the copies - within the same thread - have mother_re
pointing to the original).
When REs are cloned into another thread, mother_re isn't preserved,
so each RE has its own copy of the buffer.
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
regcomp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/regcomp.c b/regcomp.c
index 547b9113e3..15783541a4 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -20956,6 +20956,11 @@ Perl_re_dup_guts(pTHX_ const REGEXP *sstr, REGEXP *dstr, CLONE_PARAMS *param)
2: something we no longer hold a reference on
so we need to copy it locally. */
RX_WRAPPED(dstr) = SAVEPVN(RX_WRAPPED_const(sstr), SvCUR(sstr)+1);
+ /* set malloced length to a non-zero value so it will be freed
+ * (otherwise in combination with SVf_FAKE it looks like an alien
+ * buffer). It doesn't have to be the actual malloced size, since it
+ * should never be grown */
+ SvLEN_set(dstr, SvCUR(sstr)+1);
ret->mother_re = NULL;
}
#endif /* PERL_IN_XSUB_RE */
--
2.20.1

View File

@ -276,6 +276,9 @@ Patch59: perl-5.28.1-PATCH-perl-133880-assertion-failure.patch
# in upstream after 5.29.9 # in upstream after 5.29.9
Patch60: perl-5.28.1-Fix-POSIX-mblen-mbstate_t-initialization-on-threaded.patch Patch60: perl-5.28.1-Fix-POSIX-mblen-mbstate_t-initialization-on-threaded.patch
# Fix a memory leak when cloning a regular expression, in upstream after 5.29.9
Patch61: perl-5.29.9-fix-leak-in-cloned-regexes.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2892,6 +2895,7 @@ Perl extension for Version Objects
%patch58 -p1 %patch58 -p1
%patch59 -p1 %patch59 -p1
%patch60 -p1 %patch60 -p1
%patch61 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -2944,6 +2948,7 @@ perl -x patchlevel.h \
'Fedora Patch58: Fix a buffer overread when handling a scope error in qr/\(?{/ (RT#133879)' \ 'Fedora Patch58: Fix a buffer overread when handling a scope error in qr/\(?{/ (RT#133879)' \
'Fedora Patch59: Fix a buffer overread when parsing a regular expression with an unknown character name (RT#133880)' \ 'Fedora Patch59: Fix a buffer overread when parsing a regular expression with an unknown character name (RT#133880)' \
'Fedora Patch60: Fix mbstate_t initialization in POSIX::mblen (RT#133928)' \ 'Fedora Patch60: Fix mbstate_t initialization in POSIX::mblen (RT#133928)' \
'Fedora Patch61: Fix a memory leak when cloning a regular expression' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -5238,6 +5243,7 @@ popd
- Fix a buffer overread when parsing a regular expression with an unknown - Fix a buffer overread when parsing a regular expression with an unknown
character name (RT#133880) character name (RT#133880)
- Fix mbstate_t initialization in POSIX::mblen (RT#133928) - Fix mbstate_t initialization in POSIX::mblen (RT#133928)
- Fix a memory leak when cloning a regular expression
* Tue Mar 05 2019 Björn Esser <besser82@fedoraproject.org> - 4:5.28.1-434 * Tue Mar 05 2019 Björn Esser <besser82@fedoraproject.org> - 4:5.28.1-434
- Add explicit Requires: libxcrypt-devel to devel sub-package (bug #1666098) - Add explicit Requires: libxcrypt-devel to devel sub-package (bug #1666098)