summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorafresh1 <afresh1@openbsd.org>2017-09-22 23:15:01 +0000
committerafresh1 <afresh1@openbsd.org>2017-09-22 23:15:01 +0000
commitbc7b845e7aa7bb67274375936e9101bc3308617a (patch)
tree28137887b4e573656c775de436d5dd7c1b8ef1a4
parentDo not bounce if possible. (diff)
downloadwireguard-openbsd-bc7b845e7aa7bb67274375936e9101bc3308617a.tar.xz
wireguard-openbsd-bc7b845e7aa7bb67274375936e9101bc3308617a.zip
A buffer over-read and heap overflow in perl's regexp may result in
a crash or memory leak. Fixes * CVE-2017-12883 (Buffer over-read) * CVE-2017-12837 (Heap overflow when compiling case-insensitive regexp) Patches by Karl Williamson
-rw-r--r--gnu/usr.bin/perl/regcomp.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/gnu/usr.bin/perl/regcomp.c b/gnu/usr.bin/perl/regcomp.c
index be6cb96a700..29b1ffe7c5a 100644
--- a/gnu/usr.bin/perl/regcomp.c
+++ b/gnu/usr.bin/perl/regcomp.c
@@ -11918,14 +11918,16 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
}
sv_catpv(substitute_parse, ")");
- RExC_parse = RExC_start = RExC_adjusted_start = SvPV(substitute_parse,
- len);
+ len = SvCUR(substitute_parse);
/* Don't allow empty number */
if (len < (STRLEN) 8) {
RExC_parse = endbrace;
vFAIL("Invalid hexadecimal number in \\N{U+...}");
}
+
+ RExC_parse = RExC_start = RExC_adjusted_start
+ = SvPV_nolen(substitute_parse);
RExC_end = RExC_parse + len;
/* The values are Unicode, and therefore not subject to recoding, but
@@ -13018,6 +13020,7 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
goto loopdone;
}
p = RExC_parse;
+ RExC_parse = parse_start;
if (ender > 0xff) {
REQUIRE_UTF8(flagp);
}