Skip Menu |
Report information
Id: 131893
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)

Attachments
0001-perl-131893-prevent-integer-overflow-when-compiling-.patch



To: perlbug [...] perl.org
Date: Sun, 13 Aug 2017 21:32:29 -0500
Subject: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23)
From: Brian Carpenter <brian.carpenter [...] gmail.com>
While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in the form of a signed integer overflow in regcomp.c, however I'm not sure if this is a bug.

./perl -e "0=~'0(0?(0||00*))|'"

regcomp.c:5935:23: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long'
    #0 0xa5aa70 in S_study_chunk /root/perl5/regcomp.c:5935:23
    #1 0xa6df1c in S_study_chunk /root/perl5/regcomp.c:5894:35
    #2 0x9d6c65 in Perl_re_op_compile /root/perl5/regcomp.c:7574:11
    #3 0x56abc9 in Perl_pmruntime /root/perl5/op.c:5885:6
    #4 0x56413d in Perl_bind_match /root/perl5/op.c:4017:9
    #5 0x96ddc0 in Perl_yyparse /root/perl5/perly.y:990:23
    #6 0x6c1dfe in S_parse_body /root/perl5/perl.c:2414:9
    #7 0x6aeb39 in perl_parse /root/perl5/perl.c:1732:2
    #8 0x5251b6 in main /root/perl5/perlmain.c:121:18
    #9 0x7fe7401094d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #10 0x4359d9 in _start (/root/perl5/perl+0x4359d9)

SUMMARY: AddressSanitizer: undefined-behavior regcomp.c:5935:23
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #131893] runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23)
Date: Mon, 14 Aug 2017 03:35:37 +0100
To: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 231b
Brian Carpenter wrote: Show quoted text
>the form of a signed integer overflow in regcomp.c, however I'm not sure if >this is a bug. > >./perl -e "0=~'0(0?(0||00*))|'"
There's nothing pathological about that regexp. I reckon it's a bug. -zefram
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 404b
On Sun, 13 Aug 2017 19:33:16 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in > the form of a signed integer overflow in regcomp.c, however I'm not sure if > this is a bug. > > ./perl -e "0=~'0(0?(0||00*))|'"
The attached fixes it for me. There's other similar issues, perhaps it's finally time to do the work to close 121505. Tony
Subject: 0001-perl-131893-prevent-integer-overflow-when-compiling-.patch
From f901dfa07af600039d9479d4da63db04b3b40f42 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 14 Aug 2017 15:10:22 +1000 Subject: (perl #131893) prevent integer overflow when compiling a regexp a specific regexp in this case, other regexps may cause other overflows --- regcomp.c | 8 ++++++-- t/re/pat.t | 6 +++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/regcomp.c b/regcomp.c index 5a9e56b..a421d24 100644 --- a/regcomp.c +++ b/regcomp.c @@ -5931,8 +5931,12 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n", data->cur_is_floating = 1; /* float */ } min += min1; - if (delta != SSize_t_MAX) - delta += max1 - min1; + if (delta != SSize_t_MAX) { + if (SSize_t_MAX - (max1 - min1) >= delta) + delta += max1 - min1; + else + delta = SSize_t_MAX; + } if (flags & SCF_DO_STCLASS_OR) { ssc_or(pRExC_state, data->start_class, (regnode_charclass *) &accum); if (min1) { diff --git a/t/re/pat.t b/t/re/pat.t index fb6d4c4..984fd66 100644 --- a/t/re/pat.t +++ b/t/re/pat.t @@ -23,7 +23,7 @@ BEGIN { skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader; skip_all_without_unicode_tables(); -plan tests => 837; # Update this when adding/deleting tests. +plan tests => 838; # Update this when adding/deleting tests. run_tests() unless caller; @@ -1916,6 +1916,10 @@ EOP pos($text) = 3; ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575"); } + { + # RT #131893 - fails with ASAN -fsanitize=undefined + fresh_perl_is('qr/0(0?(0||00*))|/', '', {}, "integer overflow during compilation"); + } } # End of sub run_tests -- 2.1.4


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org