Blob Blame History Raw
From fbb9dc823a06b4815ee8fd8632fc475b8034e379 Mon Sep 17 00:00:00 2001
From: Yves Orton <demerphq@gmail.com>
Date: Fri, 27 Jan 2017 10:18:51 +0100
Subject: [PATCH] fix RT #130561 - recursion and optimising away impossible
 quantifiers are not friends
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ported to 5.24.1:

commit 31fc93954d1f379c7a49889d91436ce99818e1f6
Author: Yves Orton <demerphq@gmail.com>
Date:   Fri Jan 27 10:18:51 2017 +0100

    fix RT #130561 - recursion and optimising away impossible quantifiers are not friends

    Instead of optimising away impossible quantifiers like (foo){1,0} treat them
    as unquantified, and guard them with an OPFAIL. Thus /(foo){1,0}/ is treated
    the same as /(*FAIL)(foo)/ this is important in patterns like /(foo){1,0}|(?1)/
    where the (?1) needs to be able to recurse into the (foo) even though the
    (foo){1,0} can never match. It also resolves various issues (SEGVs) with patterns
    like /((?1)){1,0}/.

    This patch would have been easier if S_reginsert() documented that it is
    the callers responsibility to properly set up the NEXT_OFF() of the inserted
    node (if the node has a NEXT_OFF())

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 regcomp.c            | 14 +++-----------
 t/re/pat_rt_report.t | 11 ++++++++++-
 2 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/regcomp.c b/regcomp.c
index bcb8db5..9f343d3 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -11497,19 +11497,11 @@ S_regpiece(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
 	    nextchar(pRExC_state);
             if (max < min) {    /* If can't match, warn and optimize to fail
                                    unconditionally */
-                if (SIZE_ONLY) {
-
-                    /* We can't back off the size because we have to reserve
-                     * enough space for all the things we are about to throw
-                     * away, but we can shrink it by the amount we are about
-                     * to re-use here */
-                    RExC_size += PREVOPER(RExC_size) - regarglen[(U8)OPFAIL];
-                }
-                else {
+                if (PASS2) {
                     ckWARNreg(RExC_parse, "Quantifier {n,m} with n > m can't match");
-                    RExC_emit = orig_emit;
                 }
-                ret = reganode(pRExC_state, OPFAIL, 0);
+                reginsert(pRExC_state, OPFAIL, orig_emit, depth+1);
+                NEXT_OFF(orig_emit)= regarglen[OPFAIL] + NODE_STEP_REGNODE;
                 return ret;
             }
             else if (min == max && *RExC_parse == '?')
diff --git a/t/re/pat_rt_report.t b/t/re/pat_rt_report.t
index cb02ad2..2c1dbc4 100644
--- a/t/re/pat_rt_report.t
+++ b/t/re/pat_rt_report.t
@@ -20,7 +20,7 @@ use warnings;
 use 5.010;
 use Config;
 
-plan tests => 2500;  # Update this when adding/deleting tests.
+plan tests => 2502;  # Update this when adding/deleting tests.
 
 run_tests() unless caller;
 
@@ -1113,6 +1113,15 @@ EOP
 	my $s = "\x{1ff}" . "f" x 32;
 	ok($s =~ /\x{1ff}[[:alpha:]]+/gca, "POSIXA pointer wrap");
     }
+    {
+        # rt
+        fresh_perl_is(
+            '"foo"=~/((?1)){8,0}/; print "ok"',
+            "ok", {},  'RT #130561 - allowing impossible quantifier should not cause SEGVs');
+        my $s= "foo";
+        ok($s=~/(foo){1,0}|(?1)/,
+            "RT #130561 - allowing impossible quantifier should not break recursion");
+    }
 } # End of sub run_tests
 
 1;
-- 
2.7.4