New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PATCH] Coverity: regcomp.c: array access past the end #13759
Comments
From @jhiAttached. |
From @jhi0007-Fix-for-Coverity-perl5-CID-29032.patchFrom e38bd386547240e3ea18d639de3a5f53a3cb0053 Mon Sep 17 00:00:00 2001
From: Jarkko Hietaniemi <jhi@iki.fi>
Date: Mon, 21 Apr 2014 18:15:58 -0400
Subject: [PATCH 7/9] Fix for Coverity perl5 CID 29032: Out-of-bounds read
(OVERRUN) overrun-local: Overrunning array anyofs of 34 8-byte elements at
element index 34 (byte offset 272) using index index (which evaluates to 34).
Off-by-one error: because the test "index > number of elements"
should have used ">=", the anyofs[] could have been accessed one
past the end. Use the C_ARRAY_LENGTH since we have it.
I think regprop is only used by -Mre=debug.
---
regcomp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/regcomp.c b/regcomp.c
index ca2ffb8..0238af9 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -15831,10 +15831,7 @@ Perl_regprop(pTHX_ const regexp *prog, SV *sv, const regnode *o, const regmatch_
}
else if (k == POSIXD || k == NPOSIXD) {
U8 index = FLAGS(o) * 2;
- if (index > (sizeof(anyofs) / sizeof(anyofs[0]))) {
- Perl_sv_catpvf(aTHX_ sv, "[illegal type=%d])", index);
- }
- else {
+ if (index < C_ARRAY_LENGTH(anyofs)) {
if (*anyofs[index] != '[') {
sv_catpv(sv, "[");
}
@@ -15843,6 +15840,9 @@ Perl_regprop(pTHX_ const regexp *prog, SV *sv, const regnode *o, const regmatch_
sv_catpv(sv, "]");
}
}
+ else {
+ Perl_sv_catpvf(aTHX_ sv, "[illegal type=%d])", index);
+ }
}
else if (k == BRANCHJ && (OP(o) == UNLESSM || OP(o) == IFMATCH))
Perl_sv_catpvf(aTHX_ sv, "[%d]", -(o->flags));
--
1.8.5.2 (Apple Git-48)
|
From @tonycozOn Tue Apr 22 17:31:15 2014, jhi wrote:
Added as a 5.21.1 blocker. Tony |
The RT System itself - Status changed from 'new' to 'open' |
@tonycoz - Status changed from 'open' to 'resolved' |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Migrated from rt.perl.org#121710 (status was 'resolved')
Searchable as RT121710$
The text was updated successfully, but these errors were encountered: