From dd88eabcdaecfe56bd4dd50fcb557ad59bed4855 Mon Sep 17 00:00:00 2001
From: Jitka Plesnikova <jplesnik@redhat.com>
Date: Thu, 7 Jan 2021 12:50:21 +0100
Subject: [PATCH] regcomp.c: Prevent integer overflow from nested regex
 quantifiers.

(CVE-2020-10543) On 32bit systems the size calculations for nested regular
expression quantifiers could overflow causing heap memory corruption.
---
 AUTHORS    | 1 +
 perl.h     | 2 ++
 regcomp.c  | 6 ++++++
 t/re/pat.t | 1 +
 4 files changed, 10 insertions(+)

diff --git a/AUTHORS b/AUTHORS
index 9589b5b..b69783a 100644
--- a/AUTHORS
+++ b/AUTHORS
@@ -558,6 +558,7 @@ John Holdsworth			<coldwave@bigfoot.com>
 John Hughes			<john@AtlanTech.COM>
 John Kristian			<jmk2001@engineer.com>
 John L. Allen			<allen@grumman.com>
+John Lightsey			<jd@cpanel.net>
 John Macdonald			<jmm@revenge.elegant.com>
 John Malmberg			<wb8tyw@gmail.com>
 John Nolan			<jpnolan@Op.Net>
diff --git a/perl.h b/perl.h
index e532af2..9806c58 100644
--- a/perl.h
+++ b/perl.h
@@ -1758,6 +1758,8 @@ typedef UVTYPE UV;
 #  endif
 #endif
 
+#define SSize_t_MAX (SSize_t)(~(size_t)0 >> 1)
+
 #ifndef HAS_QUAD
 # undef PERL_NEED_MY_HTOLE64
 # undef PERL_NEED_MY_LETOH64
diff --git a/regcomp.c b/regcomp.c
index 57505f3..a02c296 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -3848,6 +3848,12 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp,
 			      "Quantifier unexpected on zero-length expression");
 		}
 
+                if ( ( minnext > 0 && mincount >= SSize_t_MAX / minnext )
+                    || min >= SSize_t_MAX - minnext * mincount )
+                {
+                    FAIL("Regexp out of space");
+                }
+
 		min += minnext * mincount;
 		is_inf_internal |= ((maxcount == REG_INFTY
 				     && (minnext + deltanext) > 0)
diff --git a/t/re/pat.t b/t/re/pat.t
index e328fbd..214a14b 100644
--- a/t/re/pat.t
+++ b/t/re/pat.t
@@ -16,6 +16,7 @@ $| = 1;
 BEGIN {
     chdir 't' if -d 't';
     @INC = ('../lib','.');
+    require Config; import Config;
     require './test.pl';
 }
 
-- 
2.26.2