diff options
| author | Andrew Fresh <afresh1@cvs.openbsd.org> | 2017-09-22 23:15:02 +0000 |
|---|---|---|
| committer | Andrew Fresh <afresh1@cvs.openbsd.org> | 2017-09-22 23:15:02 +0000 |
| commit | 7e685889b9914c68684d96e036dfa71f4b565792 (patch) | |
| tree | a5c6e3922714e41d72a14333c44531cd993edbfc /gnu/usr.bin/perl | |
| parent | c57c9aabf48d2b08900f11110e3fbda4977017b3 (diff) | |
A buffer over-read and heap overflow in perl's regexp may result in
a crash or memory leak.
Fixes
* CVE-2017-12883 (Buffer over-read)
* CVE-2017-12837 (Heap overflow when compiling case-insensitive regexp)
Patches by Karl Williamson
Diffstat (limited to 'gnu/usr.bin/perl')
| -rw-r--r-- | gnu/usr.bin/perl/regcomp.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/gnu/usr.bin/perl/regcomp.c b/gnu/usr.bin/perl/regcomp.c index be6cb96a700..29b1ffe7c5a 100644 --- a/gnu/usr.bin/perl/regcomp.c +++ b/gnu/usr.bin/perl/regcomp.c @@ -11918,14 +11918,16 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state, } sv_catpv(substitute_parse, ")"); - RExC_parse = RExC_start = RExC_adjusted_start = SvPV(substitute_parse, - len); + len = SvCUR(substitute_parse); /* Don't allow empty number */ if (len < (STRLEN) 8) { RExC_parse = endbrace; vFAIL("Invalid hexadecimal number in \\N{U+...}"); } + + RExC_parse = RExC_start = RExC_adjusted_start + = SvPV_nolen(substitute_parse); RExC_end = RExC_parse + len; /* The values are Unicode, and therefore not subject to recoding, but @@ -13018,6 +13020,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth) goto loopdone; } p = RExC_parse; + RExC_parse = parse_start; if (ender > 0xff) { REQUIRE_UTF8(flagp); } |