[perl #123782] regcomp: check for overflow on /(?123)/

AFL (<http://lcamtuf.coredump.cx/afl>) found that the UV to I32 conversion can evade the necessary range checks on wraparound, leading to bad reads. Check for it, and force to I32_MAX, expecting that this will usually yield a "Reference to nonexistent group" error.
author: Hugo van der Sanden <hv@crypt.org> 2015-02-10 14:25:42 +0000
committer: Hugo van der Sanden <hv@crypt.org> 2015-02-10 14:59:56 +0000
commit: b3725d49f914ef2bed63d7eb92a72ef6e886b489 (patch)
tree: ba454add8d092734df39f1ad58ddb05aa1ede7bd /regcomp.c
parent: 0fa70a06a98fc8fa9840d4dbaa31fc2d3b28b99b (diff)
download: perl-b3725d49f914ef2bed63d7eb92a72ef6e886b489.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/regcomp.c b/regcomp.c
index 9e1fab9e89..a761fd52a2 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -10118,12 +10118,14 @@ S_reg(pTHX_ RExC_state_t *pRExC_state, I32 paren, I32 *flagp,U32 depth)
               parse_recursion:
                 {
                     bool is_neg = FALSE;
+                    UV unum;
                     parse_start = RExC_parse - 1; /* MJD */
                     if (*RExC_parse == '-') {
                         RExC_parse++;
                         is_neg = TRUE;
                     }
-                    num = grok_atou(RExC_parse, &endptr);
+                    unum = grok_atou(RExC_parse, &endptr);
+                    num = (unum > I32_MAX) ? I32_MAX : (I32)unum;
                     if (endptr)
 			RExC_parse = (char*)endptr;
                     if (is_neg) {
author	Hugo van der Sanden <hv@crypt.org>	2015-02-10 14:25:42 +0000
committer	Hugo van der Sanden <hv@crypt.org>	2015-02-10 14:59:56 +0000
commit	b3725d49f914ef2bed63d7eb92a72ef6e886b489 (patch)
tree	ba454add8d092734df39f1ad58ddb05aa1ede7bd /regcomp.c
parent	0fa70a06a98fc8fa9840d4dbaa31fc2d3b28b99b (diff)
download	perl-b3725d49f914ef2bed63d7eb92a72ef6e886b489.tar.gz