Fix a conditional jump on uninitilized memory in re_intuit_start()

This commit is contained in:
Petr Písař 2017-06-19 13:45:43 +02:00
parent 4b937ffd49
commit f7e5d464be
2 changed files with 124 additions and 1 deletions

View File

@ -0,0 +1,116 @@
From 10e784017784a8c1b1835b04026f8948eb502e50 Mon Sep 17 00:00:00 2001
From: David Mitchell <davem@iabyn.com>
Date: Fri, 16 Jun 2017 15:46:19 +0100
Subject: [PATCH] don't call Perl_fbm_instr() with negative length
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Ported to 5.26.0:
commit bb152a4b442f7718fd37d32cc558be675e8ae1ae
Author: David Mitchell <davem@iabyn.com>
Date: Fri Jun 16 15:46:19 2017 +0100
don't call Perl_fbm_instr() with negative length
RT #131575
re_intuit_start() could calculate a maximum end position less than the
current start position. This used to get rejected by fbm_intr(), until
v5.23.3-110-g147f21b, which made fbm_intr() faster and removed unnecessary
checks.
This commits fixes re_intuit_start(), and adds an assert to fbm_intr().
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
regexec.c | 17 +++++++++++------
t/re/pat.t | 13 ++++++++++++-
util.c | 2 ++
3 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/regexec.c b/regexec.c
index 35b88d7..4e82bc2 100644
--- a/regexec.c
+++ b/regexec.c
@@ -126,13 +126,16 @@ static const char* const non_utf8_target_but_utf8_required
(U8*)(off >= 0 ? reginfo->strend : reginfo->strbeg)) \
: (U8*)(pos + off))
-#define HOPBACKc(pos, off) \
- (char*)(reginfo->is_utf8_target \
- ? reghopmaybe3((U8*)pos, (SSize_t)0-off, (U8*)(reginfo->strbeg)) \
- : (pos - off >= reginfo->strbeg) \
- ? (U8*)pos - off \
+/* like HOPMAYBE3 but backwards. lim must be +ve. Returns NULL on overshoot */
+#define HOPBACK3(pos, off, lim) \
+ (reginfo->is_utf8_target \
+ ? reghopmaybe3((U8*)pos, (SSize_t)0-off, (U8*)(lim)) \
+ : (pos - off >= lim) \
+ ? (U8*)pos - off \
: NULL)
+#define HOPBACKc(pos, off) ((char*)HOPBACK3(pos, off, reginfo->strbeg))
+
#define HOP3(pos,off,lim) (reginfo->is_utf8_target ? reghop3((U8*)(pos), off, (U8*)(lim)) : (U8*)(pos + off))
#define HOP3c(pos,off,lim) ((char*)HOP3(pos,off,lim))
@@ -884,7 +887,9 @@ Perl_re_intuit_start(pTHX_
(IV)prog->check_end_shift);
});
- end_point = HOP3(strend, -end_shift, strbeg);
+ end_point = HOPBACK3(strend, end_shift, rx_origin);
+ if (!end_point)
+ goto fail_finish;
start_point = HOPMAYBE3(rx_origin, start_shift, end_point);
if (!start_point)
goto fail_finish;
diff --git a/t/re/pat.t b/t/re/pat.t
index 16bfc8e..2510eab 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -23,7 +23,7 @@ BEGIN {
skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
skip_all_without_unicode_tables();
-plan tests => 837; # Update this when adding/deleting tests.
+plan tests => 838; # Update this when adding/deleting tests.
run_tests() unless caller;
@@ -1911,6 +1911,17 @@ EOP
# [perl #129281] buffer write overflow, detected by ASAN, valgrind
fresh_perl_is('/0(?0)|^*0(?0)|^*(^*())0|/', '', {}, "don't bump whilem_c too much");
}
+
+ {
+ # RT #131575 intuit skipping back from the end to find the highest
+ # possible start point, was potentially hopping back beyond pos()
+ # and crashing by calling fbm_instr with a negative length
+
+ my $text = "=t=\x{5000}";
+ pos($text) = 3;
+ ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575");
+ }
+
} # End of sub run_tests
1;
diff --git a/util.c b/util.c
index f1b92a9..69763bc 100644
--- a/util.c
+++ b/util.c
@@ -816,6 +816,8 @@ Perl_fbm_instr(pTHX_ unsigned char *big, unsigned char *bigend, SV *littlestr, U
PERL_ARGS_ASSERT_FBM_INSTR;
+ assert(bigend >= big);
+
if ((STRLEN)(bigend - big) < littlelen) {
if ( tail
&& ((STRLEN)(bigend - big) == littlelen - 1)
--
2.9.4

View File

@ -165,6 +165,10 @@ Patch37: perl-5.27.0-perl-131526-don-t-go-beyond-the-end-of-the-NUL-in-my
# "perl -S", RT#129183, in upstream after 5.27.0 # "perl -S", RT#129183, in upstream after 5.27.0
Patch38: perl-5.27.0-perl-129183-don-t-treat-as-an-escape-in-PATH-for-S.patch Patch38: perl-5.27.0-perl-129183-don-t-treat-as-an-escape-in-PATH-for-S.patch
# Fix a conditional jump on uninitilized memory in re_intuit_start(),
# RT#131575, in upstream after 5.27.0
Patch39: perl-5.26.0-don-t-call-Perl_fbm_instr-with-negative-length.patch
# Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048 # Link XS modules to libperl.so with EU::CBuilder on Linux, bug #960048
Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch Patch200: perl-5.16.3-Link-XS-modules-to-libperl.so-with-EU-CBuilder-on-Li.patch
@ -2821,6 +2825,7 @@ Perl extension for Version Objects
%patch36 -p1 %patch36 -p1
%patch37 -p1 %patch37 -p1
%patch38 -p1 %patch38 -p1
%patch39 -p1
%patch200 -p1 %patch200 -p1
%patch201 -p1 %patch201 -p1
@ -2848,6 +2853,7 @@ perl -x patchlevel.h \
'Fedora Patch36: Fix glob UTF-8 flag on a glob reassignment (RT#131263)' \ 'Fedora Patch36: Fix glob UTF-8 flag on a glob reassignment (RT#131263)' \
'Fedora Patch37: Fix a buffer overflow in my_atof2() (RT#131526)' \ 'Fedora Patch37: Fix a buffer overflow in my_atof2() (RT#131526)' \
'Fedora Patch38: Fix handling backslashes in PATH environment variable when executing "perl -S" (RT#129183)' \ 'Fedora Patch38: Fix handling backslashes in PATH environment variable when executing "perl -S" (RT#129183)' \
'Fedora Patch39: Fix a conditional jump on uninitilized memory in re_intuit_start() (RT#131575)' \
'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \ 'Fedora Patch200: Link XS modules to libperl.so with EU::CBuilder on Linux' \
'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \ 'Fedora Patch201: Link XS modules to libperl.so with EU::MM on Linux' \
%{nil} %{nil}
@ -5130,7 +5136,7 @@ popd
# Old changelog entries are preserved in CVS. # Old changelog entries are preserved in CVS.
%changelog %changelog
* Fri Jun 16 2017 Petr Pisar <ppisar@redhat.com> - 4:5.26.0-394 * Mon Jun 19 2017 Petr Pisar <ppisar@redhat.com> - 4:5.26.0-394
- Make File::Glob more resistant against degenerative matching (RT#131211) - Make File::Glob more resistant against degenerative matching (RT#131211)
- Fix a crash when calling a subroutine from a stash (RT#131085) - Fix a crash when calling a subroutine from a stash (RT#131085)
- Fix an improper cast of a negative integer to an unsigned 8-bit type (RT#131190) - Fix an improper cast of a negative integer to an unsigned 8-bit type (RT#131190)
@ -5139,6 +5145,7 @@ popd
- Fix a buffer overflow in my_atof2() (RT#131526) - Fix a buffer overflow in my_atof2() (RT#131526)
- Fix handling backslashes in PATH environment variable when executing - Fix handling backslashes in PATH environment variable when executing
"perl -S" (RT#129183) "perl -S" (RT#129183)
- Fix a conditional jump on uninitilized memory in re_intuit_start() (RT#131575)
* Tue Jun 06 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.26.0-393 * Tue Jun 06 2017 Jitka Plesnikova <jplesnik@redhat.com> - 4:5.26.0-393
- Stop providing old perl(MODULE_COMPAT_5.24.*) - Stop providing old perl(MODULE_COMPAT_5.24.*)