Commit7047915

khwilliamson

authored and

leonerd

committed

Fix read/write past buffer end: perl-security#140

A package name may be specified in a \p{...} regular expressionconstruct. If unspecified, "utf8::" is assumed, which is the packageall official Unicode properties are in. By specifying a differentpackage, one can create a user-defined property with the sameunqualified name as a Unicode one. Such a property is defined by a subwhose name begins with "Is" or "In", and if the sub wishes to refer toan official Unicode property, it must explicitly specify the "utf8::".S_parse_uniprop_string() is used to parse the interior of both \p{} andthe user-defined sub lines.In S_parse_uniprop_string(), it parses the input "name" parameter,creating a modified copy, "lookup_name", malloc'ed with the same size as"name". The modifications are essentially to create a canonicalizedversion of the input, with such things as extraneous white-spacestripped off. I found it convenient to strip off the package specifier"utf8::". To to so, the code simply pretends "lookup_name" begins justafter the "utf8::", and adjusts various other values to compensate.However, it missed the adjustment of one required one.This is only a problem when the property name begins with "perl" andisn't "perlspace" nor "perlword". All such ones are undocumentedinternal properties.What happens in this case is that the input is reparsed with slightlydifferent rules in effect as to what is legal versus illegal. Theproblem is that "lookup_name" no longer is pointing to its initialvalue, but "name" is. Thus the space allocated for filling "lookup_name"is now shorter than "name", and as this shortened "lookup_name" isfilled by copying suitable portions of "name", the write can be tounallocated space.The solution is to skip the "utf8::" when reparsing "name". Then both"lookup_name" and "name" are effectively shortened by the same amount,and there is no going off the end.This commit also does white-space adjustment so that things alignvertically for readability.This can be easily backported to earlier Perl releases.

1 parentbf7e5c2 commit7047915Copy full SHA for 7047915

File tree

2 files changed

+19

-6

lines changed

regcomp.c
t/re
- pat_advanced.t

2 files changed

+19

-6

lines changed

`‎regcomp.c`

Lines changed: 11 additions & 6 deletions

Original file line number	Diff line number	Diff line change
`@@ -24178,7 +24178,7 @@ S_parse_uniprop_string(pTHX_`
`24178`	`24178`	`* compile perl to know about them) */`
`24179`	`24179`	`bool is_nv_type = FALSE;`
`24180`	`24180`
`24181`		`- unsigned int i, j = 0;`
	`24181`	`+ unsigned int i = 0, i_zero = 0, j = 0;`
`24182`	`24182`	`int equals_pos = -1; /* Where the '=' is found, or negative if none */`
`24183`	`24183`	`int slash_pos = -1; /* Where the '/' is found, or negative if none */`
`24184`	`24184`	`int table_index = 0; /* The entry number for this property in the table`
`@@ -24312,9 +24312,13 @@ S_parse_uniprop_string(pTHX_`
`24312`	`24312`	`* all of them are considered to be for that package. For the purposes of`
`24313`	`24313`	`* parsing the rest of the property, strip it off */`
`24314`	`24314`	`if (non_pkg_begin == STRLENs("utf8::") && memBEGINPs(name, name_len, "utf8::")) {`
`24315`		`- lookup_name += STRLENs("utf8::");`
`24316`		`- j -= STRLENs("utf8::");`
`24317`		`- equals_pos -= STRLENs("utf8::");`
	`24315`	`+ lookup_name += STRLENs("utf8::");`
	`24316`	`+ j -= STRLENs("utf8::");`
	`24317`	`+ equals_pos -= STRLENs("utf8::");`
	`24318`	`+ i_zero = STRLENs("utf8::"); /* When resetting 'i' to reparse`
	`24319`	`+ from the beginning, it has to be`
	`24320`	`+ set past what we're stripping`
	`24321`	`+ off */`
`24318`	`24322`	`stripped_utf8_pkg = TRUE;`
`24319`	`24323`	`}`
`24320`	`24324`
`@@ -24728,7 +24732,8 @@ S_parse_uniprop_string(pTHX_`
`24728`	`24732`
`24729`	`24733`	`/* We set the inputs back to 0 and the code below will reparse,`
`24730`	`24734`	`* using strict */`
`24731`		`- i = j = 0;`
	`24735`	`+ i = i_zero;`
	`24736`	`+ j = 0;`
`24732`	`24737`	`}`
`24733`	`24738`	`}`
`24734`	`24739`
`@@ -24749,7 +24754,7 @@ S_parse_uniprop_string(pTHX_`
`24749`	`24754`	`* separates two digits */`
`24750`	`24755`	`if (cur == '_') {`
`24751`	`24756`	`if ( stricter`
`24752`		`- && (i ==0 \|\| (int) i == equals_pos \|\| i == name_len- 1`
	`24757`	`+ && ( i ==i_zero \|\| (int) i == equals_pos \|\| i == name_len- 1`
`24753`	`24758`	`\|\| ! isDIGIT_A(name[i-1]) \|\| ! isDIGIT_A(name[i+1])))`
`24754`	`24759`	`{`
`24755`	`24760`	`lookup_name[j++] = '_';`

`‎t/re/pat_advanced.t`

Lines changed: 8 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -2688,6 +2688,14 @@ EOF_DEBUG_OUT`
`2688`	`2688`	`{},"Related to Github Issue #19350, forward\\g{x} pattern segv under use re Debug => 'PARSE'");`
`2689`	`2689`	`}`
`2690`	`2690`
	`2691`	`+ {# perl-security#140, read/write past buffer end`
	`2692`	`+ fresh_perl_like('qr/\p{utf8::perl x}/',`
	`2693`	`+qr/Illegal user-defined property name "utf8::perl x" in regex/,`
	`2694`	`+ {},"perl-security#140");`
	`2695`	`+ fresh_perl_is('qr/\p{utf8::_perl_surrogate}/',"",`
	`2696`	`+ {},"perl-security#140");`
	`2697`	`+ }`
	`2698`	`+`
`2691`	`2699`
`2692`	`2700`	`# !!! NOTE that tests that aren't at all likely to crash perl should go`
`2693`	`2701`	`# a ways above, above these last ones. There's a comment there that, like`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Commit7047915

File tree

2 files changed

2 files changed

`‎regcomp.c`

`‎t/re/pat_advanced.t`

0 commit comments