New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capture corruption through self-modying regexp (?{...}) #2310
Comments
From jfriedl@yahoo-inc.comCreated by jfriedl@yahoo-inc.comWith the latest bleedperl, the script #!/usr/local/bin/perl -w my $text = "a"; print "text is [$text]\n"; prints (when piped through cat -v): text is [axxxxxxxxx] An optimization stops it from going forever, which might be considered a It might make sense to turn the target of a search into a read-only Or maybe not -- self-modifying can be fun. [*] as far as the optimizer causing side effects via (?{...}) to change, Jeffrey Perl Info
|
From [Unknown Contact. See original ticket]Jeffrey Friedl (lists.p5p):
May demons forever fly out of your nose! What on *earth* is the correct |
From [Unknown Contact. See original ticket]Jeffrey Friedl <jfriedl@yahoo-inc.com> wrote
Bleagh! The effects of such antics should be undefined. But the fact that you got garbage results suggests that SEGVs are not Mike Guy |
From @vanstynIn <200008040802.BAA09267@ventrue.yahoo.com>, Jeffrey Friedl writes: This has been discussed before; I agree it should be done. :Or maybe not -- self-modifying can be fun. It might be possible to add a new regexp flag to leave the target Hugo |
In 2013, @iabyn wrote:
I think it's time to close this ticket; if we find anything that still needs addressing it'll almost certainly happen in a new ticket in any case, but I also think there's a good chance fuzzers would already have pointed us at any remaining problems in this area if they have any reasonable chance of generating non-null-terminated strings in perl code. (Though if they don't, maybe we need to give them a way.) |
From @khwilliamsonI tried this on blead essentially equivalent to 5.12 RC0, and get |
From @gannett-ggreerOn Sun Mar 21 18:40:19 2010, khw wrote:
Looks like it eventually corrupts memory (as seen with -Mre=debug below): - - - 8< - - - 8< - - - There's junk at the beginning. With a self-modifying regex I think you -- |
From @nwc10Created by @nwc10The regex engine assumes that the scalar it's matching over can't change. If you use a (?{}) code block inside a regex to undefine the target scalar, $ valgrind ./perl -Ilib -le '$a = "ydydydyd"; warn $_ foreach $a =~ /[^x]d(?{undef $a})[^x]d/g' That would be a bad thing :-( It's not a terrible thing, given that: For reasons of security, this construct is forbidden if the regular My vague understanding of the engine is that there are mechanisms in place to Nicholas Clark Perl Info
|
From @cpansproutOn Thu Jun 30 04:31:53 2011, nicholas wrote:
Isn’t this the same as bug #3634? |
The RT System itself - Status changed from 'new' to 'open' |
From @nwc10On Thu Jun 30 08:37:23 2011, sprout wrote:
I think it might be. Sorry for the dup. I wasn't aware of the previous bug. I guess this advice from Klortho applies: #11943 Ah yes, and you are the first person to have noticed this bug Although I wasn't reporting that 'if' doesn't work :-) |
From @AbigailOn Thu, Jun 30, 2011 at 04:31:54AM -0700, Nicholas Clark wrote:
I'd say that given that (?{ }) is still marked experimental, and Abigail |
From @cpansproutOn Fri Jul 29 09:09:39 2011, abigail@abigail.be wrote:
Try looking at it in RT. :-) |
From [Unknown Contact. See original ticket]On Fri Jul 29 09:09:39 2011, abigail@abigail.be wrote:
Try looking at it in RT. :-) |
From @cpansproutOn Thu Aug 03 18:02:21 2000, jfriedl@yahoo-inc.com wrote:
This is still a problem in bleadperl (c8d84f8), even after Dave $ pbpaste|./perl -Ilib -- Father Chrysostomos |
From @iabynOn Thu, Jun 14, 2012 at 09:48:34AM -0700, Father Chrysostomos via RT wrote:
Yep, that's the one ticket in the metaticket that's not fixed yet. -- |
From @cpansproutOn Thu Jun 14 15:13:18 2012, davem wrote:
This appears to be fixed now, and I suspect it is because of -- Father Chrysostomos |
From @iabynOn Sat, Jul 27, 2013 at 07:05:39AM -0700, Father Chrysostomos via RT wrote:
The assertion failures stop with the following commit, according to commit 7016d6e stop regex engine reading beyond end of string -- |
From @nwc10On Sun, Jul 28, 2013 at 01:21:23AM +0100, Dave Mitchell wrote:
For the given test case, the errors also stop at that commit. I ran this: Porting/bisect.pl --expect-fail --target=miniperl -we '$_ = "a"; /(.(?{ $_ .= "x" }))*/; it predates the merge of COW, so that won't affect it, but I did also try Porting/bisect.pl -Accflags=-DPERL_NO_COW --expect-fail --target=miniperl -we '$_ = "a"; /(.(?{ $_ .= "x" }))*/; [From the commit message]
I guess it would also be possible to hack this to SEGV without valgrind by But I guess that this won't reveal any more than the failures you already Would a fuzzer help? Nicholas Clark |
Why isn't this closable? |
Looks fixed; closing |
Migrated from rt.perl.org#3634 (status was 'open')
Searchable as RT3634$
The text was updated successfully, but these errors were encountered: