Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

panic: pp_match start/end pointers in m/^(?=.*(a)).*(bc)/ #7066

Closed
p5pRT opened this issue Jan 26, 2004 · 5 comments
Closed

panic: pp_match start/end pointers in m/^(?=.*(a)).*(bc)/ #7066

p5pRT opened this issue Jan 26, 2004 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 26, 2004

Migrated from rt.perl.org#25269 (status was 'resolved')

Searchable as RT25269$

@p5pRT
Copy link
Author

p5pRT commented Jan 26, 2004

From wolf-dietrich.moeller@siemens.com

The following program dies in command line and as cgi under apache 2.0.48 on
WinNT and WinXP.
Program Version is 5.8.2_808 Win32 ActiveState.
The bug does not show on Perl 5.6.1 under Apache and freeBSD.

#!/usr/local/bin/perl

# test script to show match bug, 2004-01-24
# bug tested on 5.8.2_808 Win32 ActiveState,
# works correctly on Perl 5.6.1 under Apache and freeBSD
# output is (command line and CGI-script/error-log)​:
#######################################################
# # --> match with catching parentheses in look-ahead
# # --> ($x,$y) = m/^(?=.*(a)).*(bc)/;
# # 1​: $_='abc'
# # $x='a', $y='bc'
# # 2​: $_='bca'
# panic​: pp_match start/end pointers at D​:\Temp\test_catch.cgi line 26.
#######################################################
use strict;
$| = 1; # Flush buffer at once
binmode STDOUT;
print "Content-Type​: text/plain\x0D\x0A\x0D\x0A";
my ($x,$y);
my $j = 0;
print "# --> match with catching parentheses in look-ahead\x0D\x0A",
"# --> (\$x,\$y) = m/^(?=.*(a)).*(bc)/;\x0D\x0A";
#
for ('abc','bca') {
print '# ',++$j,'​: $_=\''.$_.'\'',"\x0D\x0A";
($x,$y) = m/^(?=.*(a)).*(bc)/;
print '# $x=\''.$x.'\', $y=\''.$y.'\'',"\x0D\x0A";
}

@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2004

From @hvds

Moeller Wolf-Dietrich (via RT) <perlbug-followup@​perl.org> wrote​:
:The following program dies in command line and as cgi under apache 2.0.48 on
:WinNT and WinXP.

Thanks for the report, I can confirm that this bug still exists in the
latest development version of perl.

The bug is specific to matches in list context, so if needs be you can
work around it by matching instead like​:
  /^(?=.*(a)).*(bc)/ or die "no match";
  ($x, $y) = ($1, $2);

It will go wrong specifically if you have two consecutive captures
such that the startpoint of the first plus the length of the second
exceeds the length of the string​: in this case $-[1] == 2,
length($2) == 2, and 2 + 2 > length("bca").

The problem occurs because the list construction uses the wrong
pointer to check for overrunning the end of the string; the patch
below (against bleadperl) should fix it.

Hugo

Inline Patch
--- pp_hot.c.old	Tue Jan 20 00:36:33 2004
+++ pp_hot.c	Thu Jan 29 15:02:05 2004
@@ -1312,10 +1312,10 @@
 	    /*SUPPRESS 560*/
 	    if ((rx->startp[i] != -1) && rx->endp[i] != -1 ) {
 		len = rx->endp[i] - rx->startp[i];
+		s = rx->startp[i] + truebase;
 	        if (rx->endp[i] < 0 || rx->startp[i] < 0 ||
 		    len < 0 || len > strend - s)
 		    DIE(aTHX_ "panic: pp_match start/end pointers");
-		s = rx->startp[i] + truebase;
 		sv_setpvn(*SP, s, len);
 		if (DO_UTF8(TARG) && is_utf8_string((U8*)s, len))
 		    SvUTF8_on(*SP);
--- t/op/pat.t.old	Thu Jan  1 19:40:59 2004
+++ t/op/pat.t	Thu Jan 29 14:57:42 2004
@@ -6,7 +6,7 @@
 
 $| = 1;
 
-print "1..1055\n";
+print "1..1056\n";
 
 BEGIN {
     chdir 't' if -d 't';
@@ -3262,5 +3262,11 @@
     }
 }
 
-# last test 1055
+# perl #25269: panic: pp_match start/end pointers
+ok("a-bc" eq eval {
+	my($x, $y) = "bca" =~ /^(?=.*(a)).*(bc)/;
+	"$x-$y";
+}, 'captures can move backwards in string');
+
+# last test 1056
 

@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2004

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2004

@rgs - Status changed from 'open' to 'resolved'

@p5pRT p5pRT closed this as completed Jan 29, 2004
@p5pRT
Copy link
Author

p5pRT commented Feb 2, 2004

From @rgs

hv@​crypt.org wrote​:

Moeller Wolf-Dietrich (via RT) <perlbug-followup@​perl.org> wrote​:
:The following program dies in command line and as cgi under apache 2.0.48 on
:WinNT and WinXP.

Thanks for the report, I can confirm that this bug still exists in the
latest development version of perl.

The bug is specific to matches in list context, so if needs be you can
work around it by matching instead like​:
/^(?=.*(a)).*(bc)/ or die "no match";
($x, $y) = ($1, $2);

It will go wrong specifically if you have two consecutive captures
such that the startpoint of the first plus the length of the second
exceeds the length of the string​: in this case $-[1] == 2,
length($2) == 2, and 2 + 2 > length("bca").

The problem occurs because the list construction uses the wrong
pointer to check for overrunning the end of the string; the patch
below (against bleadperl) should fix it.

Hugo
--- pp_hot.c.old Tue Jan 20 00​:36​:33 2004
+++ pp_hot.c Thu Jan 29 15​:02​:05 2004

Thanks, applied as #22245.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant