Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[PATCH] Coverity: regcomp.c: array access past the end #13759

Closed
p5pRT opened this issue Apr 23, 2014 · 6 comments
Closed

[PATCH] Coverity: regcomp.c: array access past the end #13759

p5pRT opened this issue Apr 23, 2014 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Apr 23, 2014

Migrated from rt.perl.org#121710 (status was 'resolved')

Searchable as RT121710$
@p5pRT
Copy link
Author

p5pRT commented Apr 23, 2014

From @jhi

Attached.

@p5pRT
Copy link
Author

p5pRT commented Apr 23, 2014

From @jhi

0007-Fix-for-Coverity-perl5-CID-29032.patch 
From e38bd386547240e3ea18d639de3a5f53a3cb0053 Mon Sep 17 00:00:00 2001
From: Jarkko Hietaniemi <jhi@iki.fi>
Date: Mon, 21 Apr 2014 18:15:58 -0400
Subject: [PATCH 7/9] Fix for Coverity perl5 CID 29032: Out-of-bounds read
 (OVERRUN) overrun-local: Overrunning array anyofs of 34 8-byte elements at
 element index 34 (byte offset 272) using index index (which evaluates to 34).

Off-by-one error: because the test "index > number of elements"
should have used ">=", the anyofs[] could have been accessed one
past the end.  Use the C_ARRAY_LENGTH since we have it.
I think regprop is only used by -Mre=debug.
---
 regcomp.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/regcomp.c b/regcomp.c
index ca2ffb8..0238af9 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15831,10 +15831,7 @@ Perl_regprop(pTHX_ const regexp *prog, SV *sv, const regnode *o, const regmatch_
     }
     else if (k == POSIXD || k == NPOSIXD) {
         U8 index = FLAGS(o) * 2;
-        if (index > (sizeof(anyofs) / sizeof(anyofs[0]))) {
-            Perl_sv_catpvf(aTHX_ sv, "[illegal type=%d])", index);
-        }
-        else {
+        if (index < C_ARRAY_LENGTH(anyofs)) {
             if (*anyofs[index] != '[')  {
                 sv_catpv(sv, "[");
             }
@@ -15843,6 +15840,9 @@ Perl_regprop(pTHX_ const regexp *prog, SV *sv, const regnode *o, const regmatch_
                 sv_catpv(sv, "]");
             }
         }
+        else {
+            Perl_sv_catpvf(aTHX_ sv, "[illegal type=%d])", index);
+        }
     }
     else if (k == BRANCHJ && (OP(o) == UNLESSM || OP(o) == IFMATCH))
 	Perl_sv_catpvf(aTHX_ sv, "[%d]", -(o->flags));
-- 
1.8.5.2 (Apple Git-48)

@p5pRT
Copy link
Author

p5pRT commented Apr 23, 2014

From @tonycoz

On Tue Apr 22 17​:31​:15 2014, jhi wrote​:

Attached.

Added as a 5.21.1 blocker.

Tony

@p5pRT
Copy link
Author

p5pRT commented Apr 23, 2014

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Apr 30, 2014

From @tonycoz

On Tue Apr 22 17​:31​:15 2014, jhi wrote​:

Attached.

Thanks, added as a 5.20 blocker and applied as 53673d9.

Tony

@p5pRT
Copy link
Author

p5pRT commented Apr 30, 2014

@tonycoz - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Apr 30, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@p5pRT