Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

runtime error: signed integer overflow: 1 + 9223372036854775807 cannot be represented in type 'long' (regcomp.c:5935:23) #16113

Closed
p5pRT opened this issue Aug 14, 2017 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 14, 2017

Migrated from rt.perl.org#131893 (status was 'resolved')

Searchable as RT131893$

@p5pRT
Copy link
Author

p5pRT commented Aug 14, 2017

From @geeknik

While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in
the form of a signed integer overflow in regcomp.c, however I'm not sure if
this is a bug.

./perl -e "0=~'0(0?(0||00*))|'"

regcomp.c​:5935​:23​: runtime error​: signed integer overflow​: 1 +
9223372036854775807 cannot be represented in type 'long'
  #0 0xa5aa70 in S_study_chunk /root/perl5/regcomp.c​:5935​:23
  #1 0xa6df1c in S_study_chunk /root/perl5/regcomp.c​:5894​:35
  #2 0x9d6c65 in Perl_re_op_compile /root/perl5/regcomp.c​:7574​:11
  #3 0x56abc9 in Perl_pmruntime /root/perl5/op.c​:5885​:6
  #4 0x56413d in Perl_bind_match /root/perl5/op.c​:4017​:9
  #5 0x96ddc0 in Perl_yyparse /root/perl5/perly.y​:990​:23
  #6 0x6c1dfe in S_parse_body /root/perl5/perl.c​:2414​:9
  #7 0x6aeb39 in perl_parse /root/perl5/perl.c​:1732​:2
  #8 0x5251b6 in main /root/perl5/perlmain.c​:121​:18
  #9 0x7fe7401094d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
  #10 0x4359d9 in _start (/root/perl5/perl+0x4359d9)

SUMMARY​: AddressSanitizer​: undefined-behavior regcomp.c​:5935​:23

@p5pRT
Copy link
Author

p5pRT commented Aug 14, 2017

From zefram@fysh.org

Brian Carpenter wrote​:

the form of a signed integer overflow in regcomp.c, however I'm not sure if
this is a bug.

./perl -e "0=~'0(0?(0||00*))|'"

There's nothing pathological about that regexp. I reckon it's a bug.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 14, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 14, 2017

From @tonycoz

On Sun, 13 Aug 2017 19​:33​:16 -0700, brian.carpenter@​gmail.com wrote​:

While fuzzing v5.27.2-135-g7aaa36b196*, undefined-behavior was triggered in
the form of a signed integer overflow in regcomp.c, however I'm not sure if
this is a bug.

./perl -e "0=~'0(0?(0||00*))|'"

The attached fixes it for me.

There's other similar issues, perhaps it's finally time to do the work to close 121505.

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 14, 2017

From @tonycoz

0001-perl-131893-prevent-integer-overflow-when-compiling-.patch
From f901dfa07af600039d9479d4da63db04b3b40f42 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Mon, 14 Aug 2017 15:10:22 +1000
Subject: (perl #131893) prevent integer overflow when compiling a regexp

a specific regexp in this case, other regexps may cause other overflows
---
 regcomp.c  | 8 ++++++--
 t/re/pat.t | 6 +++++-
 2 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/regcomp.c b/regcomp.c
index 5a9e56b..a421d24 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -5931,8 +5931,12 @@ Perl_re_printf( aTHX_  "LHS=%" UVuf " RHS=%" UVuf "\n",
                     data->cur_is_floating = 1; /* float */
             }
             min += min1;
-            if (delta != SSize_t_MAX)
-                delta += max1 - min1;
+            if (delta != SSize_t_MAX) {
+                if (SSize_t_MAX - (max1 - min1) >= delta)
+                    delta += max1 - min1;
+                else
+                    delta = SSize_t_MAX;
+            }
             if (flags & SCF_DO_STCLASS_OR) {
                 ssc_or(pRExC_state, data->start_class, (regnode_charclass *) &accum);
                 if (min1) {
diff --git a/t/re/pat.t b/t/re/pat.t
index fb6d4c4..984fd66 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -23,7 +23,7 @@ BEGIN {
     skip_all('no re module') unless defined &DynaLoader::boot_DynaLoader;
     skip_all_without_unicode_tables();
 
-plan tests => 837;  # Update this when adding/deleting tests.
+plan tests => 838;  # Update this when adding/deleting tests.
 
 run_tests() unless caller;
 
@@ -1916,6 +1916,10 @@ EOP
         pos($text) = 3;
         ok(scalar($text !~ m{(~*=[a-z]=)}g), "RT #131575");
     }
+    {
+        # RT #131893 - fails with ASAN -fsanitize=undefined
+        fresh_perl_is('qr/0(0?(0||00*))|/', '', {}, "integer overflow during compilation");
+    }
 
 } # End of sub run_tests
 
-- 
2.1.4

@p5pRT
Copy link
Author

p5pRT commented Dec 6, 2017

From zefram@fysh.org

Tony's patch looks good to me. I've applied it as commit
6c4f4eb.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Dec 7, 2017

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release yesterday of Perl 5.28.0, this and 185 other issues have been
resolved.

Perl 5.28.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.28.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT p5pRT closed this as completed Jun 23, 2018
@p5pRT
Copy link
Author

p5pRT commented Jun 23, 2018

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant