Mailing List Archive

[perl #123782] SEGV on wraparound
# New Ticket Created by Hugo van der Sanden
# Please include the string: [perl #123782]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=123782 >


% miniperl -ce '/(?7777777777)/'
Segmentation fault (core dumped)
%

Found by AFL (<http://lcamtuf.coredump.cx/afl>).

This is caused by integer wraparound on a UV to I32 conversion; will add a fix shortly.
[perl #123782] SEGV on wraparound [ In reply to ]
Now fixed with b3725d49f9:

[perl #123782] regcomp: check for overflow on /(?123)/

AFL (<http://lcamtuf.coredump.cx/afl>) found that the UV to I32 conversion
can evade the necessary range checks on wraparound, leading to bad reads.

Check for it, and force to I32_MAX, expecting that this will usually
yield a "Reference to nonexistent group" error.

Hugo

---
via perlbug: queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=123782