Skip Menu |
Report information
Id: 131893
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: (no value)

Attachments
0001-perl-131893-prevent-integer-overflow-when-compiling-.patch



To: perlbug [...] perl.org
Date: Sun, 13 Aug 2017 21:32:29 -0500
Subject: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23)
From: Brian Carpenter <brian.carpenter [...] gmail.com>
While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in the form of a signed integer overflow in regcomp.c, however I'm not sure if this is a bug.

./perl -e "0=~'0(0?(0||00*))|'"

regcomp.c:5935:23: runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long'
    #0 0xa5aa70 in S_study_chunk /root/perl5/regcomp.c:5935:23
    #1 0xa6df1c in S_study_chunk /root/perl5/regcomp.c:5894:35
    #2 0x9d6c65 in Perl_re_op_compile /root/perl5/regcomp.c:7574:11
    #3 0x56abc9 in Perl_pmruntime /root/perl5/op.c:5885:6
    #4 0x56413d in Perl_bind_match /root/perl5/op.c:4017:9
    #5 0x96ddc0 in Perl_yyparse /root/perl5/perly.y:990:23
    #6 0x6c1dfe in S_parse_body /root/perl5/perl.c:2414:9
    #7 0x6aeb39 in perl_parse /root/perl5/perl.c:1732:2
    #8 0x5251b6 in main /root/perl5/perlmain.c:121:18
    #9 0x7fe7401094d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #10 0x4359d9 in _start (/root/perl5/perl+0x4359d9)

SUMMARY: AddressSanitizer: undefined-behavior regcomp.c:5935:23
From: Zefram <zefram [...] fysh.org>
Subject: Re: [perl #131893] runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23)
Date: Mon, 14 Aug 2017 03:35:37 +0100
To: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 231b
Brian Carpenter wrote: Show quoted text
>the form of a signed integer overflow in regcomp.c, however I'm not sure if >this is a bug. > >./perl -e "0=~'0(0?(0||00*))|'"
There's nothing pathological about that regexp. I reckon it's a bug. -zefram
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 404b
On Sun, 13 Aug 2017 19:33:16 -0700, brian.carpenter@gmail.com wrote: Show quoted text
> While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in > the form of a signed integer overflow in regcomp.c, however I'm not sure if > this is a bug. > > ./perl -e "0=~'0(0?(0||00*))|'"
The attached fixes it for me. There's other similar issues, perhaps it's finally time to do the work to close 121505. Tony
Subject: 0001-perl-131893-prevent-integer-overflow-when-compiling-.patch
From f901dfa07af600039d9479d4da63db04b3b40f42 Mon Sep 17 00:00:00 2001 From: Tony Cook <tony@develop-help.com> Date: Mon, 14 Aug 2017 15:10:22 +1000 Subject: (perl #131893) prevent integer overflow when compiling a regexp a specific regexp in this case, other regexps may cause other overflows --- regcomp.c | 8 ++++++-- t/re/pat.t | 6 +++++- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/regcomp.c b/regcomp.c index 5a9e56b..a421d24 100644 --- a/regcomp.c +++ b/regcomp.c @@ -5931,8 +5931,12 @@ Perl_re_printf( aTHX_ "LHS=%" UVuf " RHS=%" UVuf "\n", data->cur_is_floating = 1; /* float */ } min += min1; - if (delta != SSize_t_MAX) - delta += max1 - min1; + if (delta != SSize_t_MAX) { + if (SSize_t_MAX - (max1 - min1) >= delta) + delta += max1 - min1; + else + delta = SSize_t_MAX; + } if (flags & SCF_DO_STCLASS_OR) { ssc_or(pRExC_state, data->start_class, (regnode_charclass *) &accum); if (min1) { diff --git a/t/re/pat.t b/t/re/pat.t index fb6d4c4..984fd66 100644 --- a/t/re/pat.t +++ b/t/re/pat.t @@ -23,7 +23,7 @@ BEGIN { skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader; skip_all_without_unicode_tables(); -plan tests => 837; # Update this when adding/deleting tests. +plan tests => 838; # Update this when adding/deleting tests. run_tests() unless caller; @@ -1916,6 +1916,10 @@ EOP pos($text) = 3; ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575"); } + { + # RT #131893 - fails with ASAN -fsanitize=undefined + fresh_perl_is('qr/0(0?(0||00*))|/', '', {}, "integer overflow during compilation"); + } } # End of sub run_tests -- 2.1.4
To: perl5-porters [...] perl.org
Date: Wed, 6 Dec 2017 22:12:39 +0000
Subject: Re: [perl #131893] runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23)
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 109b
Tony's patch looks good to me. I've applied it as commit 6c4f4eb174d1e2e9f874786123a699d11ae741f9. -zefram
Download (untitled) / with headers
text/plain 317b
Thank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been resolved. Perl 5.28.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.28.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org