Skip Menu |
Report information
Id: 133100
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: Nick_Russell [at]

Operating System: (no value)
PatchStatus: (no value)
Severity: High
Type: core
Perl Version: 5.26.1
Fixed In: (no value)

Date: Wed, 11 Apr 2018 12:56:54 +0000
To: "perlbug [...]" <perlbug [...]>
Subject: SEGV using a regex with an invalid repeat range
From: "Russell, Nick" <Nick_Russell [...]>
Download (untitled) / with headers
text/plain 7.3k
This is a bug report for perl from Nick Rrussell, generated with the help of perlbug 1.39 running under perl 5.26.1. ----------------------------------------------------------------- The following command: # echo 'b' | perl -ne 'print if /ba{11,2}/;' when executed under perl v5.16.3 produces the error below: Can't do {n,m} with n > m in regex; marked by <-- HERE in m/ba{11,2} <-- HERE / at -e line 1. which is expected. However when run under perl v5.26.1 the regex is considered valid and crashes perl when the range is evaluated: Core was generated by `perl -ne print if /ba{11,2}/;'. Program terminated with signal 11, Segmentation fault. (gdb) bt #0 0x00007efe26ddba24 in ?? () from /usr/lib/perl5/core_perl/CORE/ #1 0x00007efe26de15f8 in Perl_regexec_flags () from /usr/lib/perl5/core_perl/CORE/ #2 0x00007efe26d85a46 in Perl_pp_match () from /usr/lib/perl5/core_perl/CORE/ #3 0x00007efe26d8219b in Perl_runops_standard () from /usr/lib/perl5/core_perl/CORE/ #4 0x00007efe26d1d035 in perl_run () from /usr/lib/perl5/core_perl/CORE/ #5 0x0000557ea61a6c42 in main () Note that I was using a chroot that did not have perlbug installed so I used the version available under the host OS so the ' Locally applied patches' section is bogus. ----------------------------------------------------------------- --- Flags: category=core severity=high --- This perlbug was built using Perl 5.16.3 - Wed Aug 2 17:44:15 UTC 2017 It is being executed now by Perl 5.26.1 - Tue Oct 31 13:26:34 GMT 2017. Site configuration information for perl 5.26.1: Configured by Alpine at Tue Oct 31 13:26:34 GMT 2017. Summary of my perl5 (revision 5 version 26 subversion 1) configuration: Platform: osname=linux osvers=4.4.45-0-grsec archname=x86_64-linux-thread-multi uname='linux build-3-7-x86_64 4.4.45-0-grsec #1-alpine smp thu jan 26 14:21:00 gmt 2017 x86_64 linux ' config_args='-des -Dcccdlflags=-fPIC -Dcccdlflags=-fPIC -Dccdlflags=-rdynamic -Dprefix=/usr -Dprivlib=/usr/share/perl5/core_perl -Darchlib=/usr/lib/perl5/core_perl -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5/vendor_perl -Dvendor arch=/usr/lib/perl5/vendor_perl -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5/site_perl -Dsitearch=/usr/local/lib/perl5/site_perl -Dlocincpth= -Doptimize=-Os -fomit-frame-pointer -Duselargefiles -Dusethreads -Duseshrplib -Dd_ semctl_semun -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dinstallman1dir=/usr/share/man/man1 -Dinstallman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3pm -Dcf_by=Alpine -Ud_csh -Dusenm' hint=recommended useposix=true d_sigaction=define useithreads=define usemultiplicity=define use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' optimize='-Os -fomit-frame-pointer' cppflags='-D_REENTRANT -D_GNU_SOURCE -fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong' ccversion='' gccversion='6.4.0' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/include/fortify /usr/lib /usr/local/lib /lib/../lib /usr/lib/../lib /lib libs=-lpthread -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -ldl -lm -lcrypt -lutil -lc libc=/usr/lib/libc.a so=so useshrplib=true gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-rdynamic -Wl,-rpath,/usr/lib/perl5/core_perl/CORE' cccdlflags='-fPIC' lddlflags='-shared -Os -fomit-frame-pointer -L/usr/local/lib -fstack-protector-strong' Locally applied patches: Fedora Patch1: Removes date check, Fedora/RHEL specific Fedora Patch3: support for libdir64 Fedora Patch4: use libresolv instead of libbind Fedora Patch5: USE_MM_LD_RUN_PATH Fedora Patch6: Skip hostname tests, due to builders not being network capable Fedora Patch7: Dont run one io test due to random builder failures Fedora Patch9: Fix find2perl to translate ? glob properly (RT#113054) Fedora Patch10: Fix broken atof (RT#109318) Fedora Patch13: Clear $@ before \"do\" I/O error (RT#113730) Fedora Patch14: Do not truncate syscall() return value to 32 bits (RT#113980) Fedora Patch15: Override the Pod::Simple::parse_file (CPANRT#77530) Fedora Patch16: Do not leak with attribute on my variable (RT#114764) Fedora Patch17: Allow operator after numeric keyword argument (RT#105924) Fedora Patch18: Extend stack in File::Glob::glob, (RT#114984) Fedora Patch19: Do not crash when vivifying $| Fedora Patch20: Fix misparsing of maketext strings (CVE-2012-6329) Fedora Patch21: Add NAME headings to CPAN modules (CPANRT#73396) Fedora Patch22: Fix leaking tied hashes (RT#107000) [1] Fedora Patch23: Fix leaking tied hashes (RT#107000) [2] Fedora Patch24: Fix leaking tied hashes (RT#107000) [3] Fedora Patch25: Fix dead lock in PerlIO after fork from thread (RT#106212) Fedora Patch26: Make regexp safe in a signal handler (RT#114878) Fedora Patch27: Update h2ph(1) documentation (RT#117647) Fedora Patch28: Update pod2html(1) documentation (RT#117623) Fedora Patch29: Document Math::BigInt::CalcEmu requires Math::BigInt (CPAN RT#85015) RHEL Patch30: Use stronger algorithm needed for FIPS in t/op/crypt.t (RT#121591) RHEL Patch31: Make *DBM_File desctructors thread-safe (RT#61912) RHEL Patch32: Use stronger algorithm needed for FIPS in t/op/taint.t (RT#123338) RHEL Patch33: Remove CPU-speed-sensitive test in Benchmark test RHEL Patch34: Make File::Glob work with threads again RHEL Patch35: Fix CRLF conversion in ASCII FTP upload (CPAN RT#41642) RHEL Patch36: Do not leak the temp utf8 copy of namepv (CPAN RT#123786) RHEL Patch37: Fix duplicating PerlIO::encoding when spawning threads (RT#31923) --- @INC for perl 5.26.1: /usr/local/lib/perl5/site_perl /usr/local/share/perl5/site_perl /usr/lib/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib/perl5/core_perl /usr/share/perl5/core_perl --- Environment for perl 5.26.1: HOME=/root LANG=en_GB.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/sbin:/bin:/usr/sbin:/usr/bin PERL_BADLANG (unset) SHELL=/bin/bash The information contained in this email message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any review, dissemination, distribution or copying is strictly prohibited. If you have received this email message in error, please notify the sender by reply email and delete the message and any attachments. Show quoted text
________________________________ McAfee Security UK Limited is registered in England and Wales with its registered address at C/O Skadden, Arps, Slate, Meagher & Flom (UK) LLP, 40 Bank Street, Canary Wharf, London, United Kingdom, E14 5DS, Company No. 10472868
RT-Send-CC: perl5-porters [...]
Download (untitled) / with headers
text/plain 1.3k
Thank you for your report This is already fixed in blead, and hence for 5.28. It was fixed by this commit commit 4dc12118f61b997fbd030230665b46e7c40f32d6 Author: Yves Orton <> Date: Sun Sep 10 10:59:05 2017 +0200 fix #132017 - OPFAIL insert needs to set flags to 0 why reginsert doesnt do this stuff I dont know. I believe tThis would be a candidate for backporting into the 5.26 maintenance release series. The commit that broke it in 5.26 is commit 31fc93954d1f379c7a49889d91436ce99818e1f6 Author: Yves Orton <> Date: Fri Jan 27 10:18:51 2017 +0100 fix RT #130561 - recursion and optimising away impossible quantifiers are not friends Instead of optimising away impossible quantifiers like (foo){1,0} treat them as unquantified, and guard them with an OPFAIL. Thus /(foo){1,0}/ is treated the same as /(*FAIL)(foo)/ this is important in patterns like /(foo){1,0}|(?1)/ where the (?1) needs to be able to recurse into the (foo) even though the (foo){1,0} can never match. It also resolves various issues (SEGVs) with patterns like /((?1)){1,0}/. This patch would have been easier if S_reginsert() documented that it is the callers responsibility to properly set up the NEXT_OFF() of the inserted node (if the node has a NEXT_OFF()) -- Karl Williamson
RT-Send-CC: perl5-porters [...]
Download (untitled) / with headers
text/plain 142b
And it turns out that this fix is already in 5.26.2, which is scheduled for release in 3 days, unless something delays it. -- Karl Williamson
RT-Send-CC: perl5-porters [...]
Download (untitled) / with headers
text/plain 109b
I meant it would be fixed in 5.26.2, which was released on schedule, and is now available -- Karl Williamson

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at