From: Eugene V. Lyubimkin Subject: Fix a DoS in Unicode processing [CVE-2009-3626] Bug-Debian: http://bugs.debian.org/552291 Bug: http://rt.perl.org/rt3/Public/Bug/Display.html?id=69973 Origin: upstream, http://perl5.git.perl.org/perl.git/commit/0abd0d78a73da1c4d13b1c700526b7e5d03b32d4. Resolves segmentation fault in some tricky tainted non-UTF-8 matches. Signed-off-by: Eugene V. Lyubimkin --- ext/re/t/regop.t | 12 ++++++------ regcomp.c | 17 +++++++++++------ regexec.c | 9 ++------- 3 files changed, 19 insertions(+), 19 deletions(-) diff --git a/ext/re/t/regop.t b/ext/re/t/regop.t index 7fe7b20..f111b91 100755 --- a/ext/re/t/regop.t +++ b/ext/re/t/regop.t @@ -233,12 +233,12 @@ anchored "ABC" at 0 #Freeing REx: "(\\.COM|\\.EXE|\\.BAT|\\.CMD|\\.VBS|\\.VBE|\\.JS|\\.JSE|\\."...... %MATCHED% floating ""$ at 3..4 (checking floating) -1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0] -stclass EXACTF <.> minlen 3 -Found floating substr ""$ at offset 30... -Does not contradict STCLASS... -Guessed: match at offset 26 -Matching stclass EXACTF <.> against ".exe" +#1:1[1] 3:2[1] 5:2[64] 45:83[1] 47:84[1] 48:85[0] +#stclass EXACTF <.> minlen 3 +#Found floating substr ""$ at offset 30... +#Does not contradict STCLASS... +#Guessed: match at offset 26 +#Matching stclass EXACTF <.> against ".exe" --- #Compiling REx "[q]" #size 12 nodes Got 100 bytes for offset annotations. diff --git a/regcomp.c b/regcomp.c index 49e69b2..b7fb032 100644 --- a/regcomp.c +++ b/regcomp.c @@ -2820,13 +2820,18 @@ S_study_chunk(pTHX_ RExC_state_t *pRExC_state, regnode **scanp, } } else { /* - Currently we assume that the trie can handle unicode and ascii - matches fold cased matches. If this proves true then the following - define will prevent tries in this situation. - - #define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT) -*/ + Currently we do not believe that the trie logic can + handle case insensitive matching properly when the + pattern is not unicode (thus forcing unicode semantics). + + If/when this is fixed the following define can be swapped + in below to fully enable trie logic. + #define TRIE_TYPE_IS_SAFE 1 + +*/ +#define TRIE_TYPE_IS_SAFE (UTF || optype==EXACT) + if ( last && TRIE_TYPE_IS_SAFE ) { make_trie( pRExC_state, startbranch, first, cur, tail, count, diff --git a/regexec.c b/regexec.c index 7a42c4f..32994de 100644 --- a/regexec.c +++ b/regexec.c @@ -1006,16 +1006,15 @@ Perl_re_intuit_start(pTHX_ REGEXP * const prog, SV *sv, char *strpos, #define REXEC_TRIE_READ_CHAR(trie_type, trie, widecharmap, uc, uscan, len, \ uvc, charid, foldlen, foldbuf, uniflags) STMT_START { \ - UV uvc_unfolded = 0; \ switch (trie_type) { \ case trie_utf8_fold: \ if ( foldlen>0 ) { \ - uvc_unfolded = uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \ + uvc = utf8n_to_uvuni( uscan, UTF8_MAXLEN, &len, uniflags ); \ foldlen -= len; \ uscan += len; \ len=0; \ } else { \ - uvc_unfolded = uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \ + uvc = utf8n_to_uvuni( (U8*)uc, UTF8_MAXLEN, &len, uniflags ); \ uvc = to_uni_fold( uvc, foldbuf, &foldlen ); \ foldlen -= UNISKIP( uvc ); \ uscan = foldbuf + UNISKIP( uvc ); \ @@ -1041,7 +1040,6 @@ uvc, charid, foldlen, foldbuf, uniflags) STMT_START { \ uvc = (UV)*uc; \ len = 1; \ } \ - \ if (uvc < 256) { \ charid = trie->charmap[ uvc ]; \ } \ @@ -1054,9 +1052,6 @@ uvc, charid, foldlen, foldbuf, uniflags) STMT_START { \ charid = (U16)SvIV(*svpp); \ } \ } \ - if (!charid && trie_type == trie_utf8_fold && !UTF) { \ - charid = trie->charmap[uvc_unfolded]; \ - } \ } STMT_END #define REXEC_FBC_EXACTISH_CHECK(CoNd) \ -- tg: (daf8b46..) fixes/trie-logic-match (depends on: upstream)