From 3458f6115ca8e8d11779948c12b7e1cc5803358c Mon Sep 17 00:00:00 2001 From: Karl Williamson Date: Sat, 25 Mar 2017 15:00:22 -0600 Subject: [PATCH 2/3] regcomp.c: Convert some strchr to memchr This allows things to work properly in the face of embedded NULs. See the branch merge message for more information. (cherry picked from commit 43b2f4ef399e2fd7240b4eeb0658686ad95f8e62) CVE: CVE-2018-18313 Upstream-Status: Backport [https://perl5.git.perl.org/perl.git/commit/c1c28ce6ba90ee05aa96b11ad551a6063680f3b9] Signed-off-by: Dan Tran --- regcomp.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/regcomp.c b/regcomp.c index 00d26d9290..2688979882 100644 --- a/regcomp.c +++ b/regcomp.c @@ -11783,8 +11783,9 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state, RExC_parse++; /* Skip past the '{' */ - if (! (endbrace = strchr(RExC_parse, '}')) /* no trailing brace */ - || ! (endbrace == RExC_parse /* nothing between the {} */ + endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse); + if ((! endbrace) /* no trailing brace */ + || ! (endbrace == RExC_parse /* nothing between the {} */ || (endbrace - RExC_parse >= 2 /* U+ (bad hex is checked... */ && strnEQ(RExC_parse, "U+", 2)))) /* ... below for a better error msg) */ @@ -12483,9 +12484,11 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth) else { STRLEN length; char name = *RExC_parse; - char * endbrace; + char * endbrace = NULL; RExC_parse += 2; - endbrace = strchr(RExC_parse, '}'); + if (RExC_parse < RExC_end) { + endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse); + } if (! endbrace) { vFAIL2("Missing right brace on \\%c{}", name); @@ -15939,7 +15942,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth, vFAIL2("Empty \\%c", (U8)value); if (*RExC_parse == '{') { const U8 c = (U8)value; - e = strchr(RExC_parse, '}'); + e = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse); if (!e) { RExC_parse++; vFAIL2("Missing right brace on \\%c{}", c); -- 2.22.0.vfs.1.1.57.gbaf16c8