regcomp: infinite loop (perl-5.30.0) #17594
Comments
|
A related issue has been raised as #17730. I've pushed https://github.com/Perl/perl5/tree/smoke-me/hv/gh17594 for smoking, which stops marking any zero-width constructs as SIMPLE. I've also split it into two commits, in which the first stops marking them SIMPLE (which should stop them getting to regrepeat(), which can't handle them correctly), and the second actually disallows them in regrepeat(). If we come to consider this for 5.32 or backporting, taking only the first commit may be the safer option. |
|
@xsawyerx @khwilliamson @lightsey I've rebased this branch onto blead; I'd like to get it merged so we get an idea whether it causes any issues comfortably before next release, any opinions for or against that? There are two commits; the first (which I think is uncontroversial) stops marking certain zero-width constructs as SIMPLE, and documents more clearly that SIMPLE nodes are expected to be one character wide. The second (which may be more controversial) removes the cases for those zero-width constructs in regrepeat(), so we'll croak if we see them there rather than doing a wrong calculation. |
|
It LGTM. I think it should be merged |
|
👍 good with me. |
|
@lightsey replied to me privately. So its fine to merge this now. |
GH #17594: avoid marking them SIMPLE during compile so they will not wrongly be permitted in STAR/PLUS/CURLY nodes: a SIMPLE node is supposed to have width 1 (with the exception of LNBREAK as a special case).
GH #17594: the logic here expects the node to have width 1 (except for LNBREAK), it is not expected to do the right thing on zero-width nodes.
Description
On May 24, 2019 @Etsukata reported an infinite loop bug to the Perl security contact address. This report was originally tracked as rt.perl.org#134132. After the github migration, it was tracked as Perl/perl5-security#112
The original example regex was:
The infinite loop this regex caused was not considered to be a vulnerability by the Perl security team and an initial fix for the bug was committed to blead as ac3afc4
This initial fix resulted in significant discussion about it's suitability for a backport to the maintenance branch. Some of this discussion continued in the private issue tracker after the issue was initially resolved.
I don't understand the details of these discussions sufficiently to summarize them, but I'm opening this issue to track any remaining work related to the original Perl/perl5-security#112 report.
The text was updated successfully, but these errors were encountered: