CVE-2018-18313.diff   [plain text]


Backport of:

From cc56be313c7d4e7c266c01dabc762a153d5b2c28 Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sat, 25 Mar 2017 15:00:22 -0600
Subject: [PATCH] regcomp.c: Convert some strchr to memchr

This allows things to work properly in the face of embedded NULs.
See the branch merge message for more information.

(cherry picked from commit 43b2f4ef399e2fd7240b4eeb0658686ad95f8e62)
---
 regcomp.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

Index: perl-5.18.2/regcomp.c
===================================================================
--- perl-5.18.2.orig/regcomp.c	2018-11-20 09:19:39.530827946 -0500
+++ perl-5.18.2/regcomp.c	2018-11-20 09:24:15.811984928 -0500
@@ -9909,7 +9909,7 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pREx
 
     RExC_parse++;	/* Skip past the '{' */
 
-    if (! (endbrace = strchr(RExC_parse, '}')) /* no trailing brace */
+    if (! (endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse))  /* no trailing brace */
 	|| ! (endbrace == RExC_parse		/* nothing between the {} */
 	      || (endbrace - RExC_parse >= 2	/* U+ (bad hex is checked below */
 		  && strnEQ(RExC_parse, "U+", 2)))) /* for a better error msg) */
@@ -12398,9 +12398,13 @@ parseit:
 		    vFAIL2("Empty \\%c{}", (U8)value);
 		if (*RExC_parse == '{') {
 		    const U8 c = (U8)value;
-		    e = strchr(RExC_parse++, '}');
-                    if (!e)
+		    e = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
+                    if (!e) {
+                        RExC_parse++;
                         vFAIL2("Missing right brace on \\%c{}", c);
+                    }
+
+                    RExC_parse++;
 		    while (isSPACE(UCHARAT(RExC_parse)))
 		        RExC_parse++;
                     if (e == RExC_parse)