|
 |
44c692 |
From dd88eabcdaecfe56bd4dd50fcb557ad59bed4855 Mon Sep 17 00:00:00 2001
|
|
|
44c692 |
From: Jitka Plesnikova <jplesnik@redhat.com>
|
|
|
44c692 |
Date: Thu, 7 Jan 2021 12:50:21 +0100
|
|
|
44c692 |
Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
|
|
|
44c692 |
quantifiers.
|
|
|
44c692 |
|
|
|
44c692 |
(CVE-2020-10543) On 32bit systems the size calculations for nested regular
|
|
|
44c692 |
expression quantifiers could overflow causing heap memory corruption.
|
|
|
44c692 |
---
|
|
|
44c692 |
AUTHORS | 1 +
|
|
|
44c692 |
perl.h | 2 ++
|
|
|
44c692 |
regcomp.c | 6 ++++++
|
|
|
44c692 |
t/re/pat.t | 1 +
|
|
|
44c692 |
4 files changed, 10 insertions(+)
|
|
|
44c692 |
|
|
|
44c692 |
diff --git a/AUTHORS b/AUTHORS
|
|
|
44c692 |
index 9589b5b..b69783a 100644
|
|
|
44c692 |
--- a/AUTHORS
|
|
|
44c692 |
+++ b/AUTHORS
|
|
|
44c692 |
@@ -558,6 +558,7 @@ John Holdsworth <coldwave@bigfoot.com>
|
|
|
44c692 |
John Hughes <john@AtlanTech.COM>
|
|
|
44c692 |
John Kristian <jmk2001@engineer.com>
|
|
|
44c692 |
John L. Allen <allen@grumman.com>
|
|
|
44c692 |
+John Lightsey <jd@cpanel.net>
|
|
|
44c692 |
John Macdonald <jmm@revenge.elegant.com>
|
|
|
44c692 |
John Malmberg <wb8tyw@gmail.com>
|
|
|
44c692 |
John Nolan <jpnolan@Op.Net>
|
|
|
44c692 |
diff --git a/perl.h b/perl.h
|
|
|
44c692 |
index e532af2..9806c58 100644
|
|
|
44c692 |
--- a/perl.h
|
|
|
44c692 |
+++ b/perl.h
|
|
|
44c692 |
@@ -1758,6 +1758,8 @@ typedef UVTYPE UV;
|
|
|
44c692 |
# endif
|
|
|
44c692 |
#endif
|
|
|
44c692 |
|
|
|
44c692 |
+#define SSize_t_MAX (SSize_t)(~(size_t)0 >> 1)
|
|
|
44c692 |
+
|
|
|
44c692 |
#ifndef HAS_QUAD
|
|
|
44c692 |
# undef PERL_NEED_MY_HTOLE64
|
|
|
44c692 |
# undef PERL_NEED_MY_LETOH64
|
|
|
44c692 |
diff --git a/regcomp.c b/regcomp.c
|
|
|
44c692 |
index 57505f3..a02c296 100644
|
|
|
44c692 |
--- a/regcomp.c
|
|
|
44c692 |
+++ b/regcomp.c
|
|
|
44c692 |
@@ -3848,6 +3848,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
|
|
|
44c692 |
"Quantifier unexpected on zero-length expression");
|
|
|
44c692 |
}
|
|
|
44c692 |
|
|
|
44c692 |
+ if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
|
|
|
44c692 |
+ || min >= SSize_t_MAX - minnext * mincount )
|
|
|
44c692 |
+ {
|
|
|
44c692 |
+ FAIL("Regexp out of space");
|
|
|
44c692 |
+ }
|
|
|
44c692 |
+
|
|
|
44c692 |
min += minnext * mincount;
|
|
|
44c692 |
is_inf_internal |= ((maxcount == REG_INFTY
|
|
|
44c692 |
&& (minnext + deltanext) > 0)
|
|
|
44c692 |
diff --git a/t/re/pat.t b/t/re/pat.t
|
|
|
44c692 |
index e328fbd..214a14b 100644
|
|
|
44c692 |
--- a/t/re/pat.t
|
|
|
44c692 |
+++ b/t/re/pat.t
|
|
|
44c692 |
@@ -16,6 +16,7 @@ $| = 1;
|
|
|
44c692 |
BEGIN {
|
|
|
44c692 |
chdir 't' if -d 't';
|
|
|
44c692 |
@INC = ('../lib','.');
|
|
|
44c692 |
+ require Config; import Config;
|
|
|
44c692 |
require './test.pl';
|
|
|
44c692 |
}
|
|
|
44c692 |
|
|
|
44c692 |
--
|
|
|
44c692 |
2.26.2
|
|
|
44c692 |
|