Skip to content

regcomp.c: incr ref cnt of re_intuit_string() return #17763

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 29, 2020
Merged

regcomp.c: incr ref cnt of re_intuit_string() return #17763

merged 2 commits into from
Apr 29, 2020

Conversation

khwilliamson
Copy link
Contributor

This function returns an SV that it turns out may have its reference
count decremented by a future call to re_intuit_start(). Thus, the
caller doesn't get clear title to the returned SV. This is not
documented.

It is too late in the development cycle to properly fix this, but in
this instance, it is a simple matter to increment the ref count of the
returned scalar

This fixes #17734.

@khwilliamson khwilliamson requested review from hvds and xsawyerx April 29, 2020 04:21
hvds
hvds reviewed Apr 29, 2020
View reviewed changes
@hvds
Copy link
Contributor

hvds commented Apr 29, 2020

Looks good to me; I think you could simplify slightly by setting must = "" rather than NULL, so you can pass it to strspn() without needing a must_len check.

In the commit message s/should not freed/should not be freed/.

@khwilliamson
regcomp.c: Avoid use after free
4d36401 
It turns out that the SV returned by re_intuit_string() may be freed by
future calls to re_intuit_start().  Thus, the caller doesn't get clear
title to the returned SV.  (This wasn't documented until the
commit immediately prior to this one.)

Cope with this situation by making a mortalized copy.  This commit also
changes to use the copy's PV directly, simplifying some 'if' statements.

re_intuit_string() is effectively in the API, as it is an element in the
regex engine structure, callable by anyone.  It should not be returning
a tenuous SV.  That returned scalar should not freed before the pattern
it is for is freed.  It is too late in the development cycle to change
this, so this workaround is presented instead for 5.32.

This fixes #17734.
@khwilliamson
Copy link
Contributor Author

I think you could simplify slightly by setting must = "" rather than NULL

Good point. Changed to that

@khwilliamson khwilliamson merged commit 07b2324 into blead Apr 29, 2020
@khwilliamson khwilliamson deleted the smoke-me/khw-17734 branch May 25, 2021 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvds hvds hvds left review comments

@xsawyerx xsawyerx xsawyerx approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Use after free in unicode wildcard property matching
3 participants
@khwilliamson @hvds @xsawyerx