Perl versions through 5.43.10 have a heap buffer overflow when compiling regular expressions with a repeated fixed string on 32-bit builds.
Perl_study_chunk in regcomp_study.c checked the size of the joined substring buffer in characters rather than bytes. For a quantified fixed substring with a large minimum count, the byte length mincount * l could overflow SSize_t, producing an undersized SvGROW allocation; the subsequent copy writes past the end of the buffer.
A caller that compiles an attacker-controlled regular expression on a 32-bit perl build triggers a heap buffer overflow at compile time.
Weakness
The product performs a calculation to determine how much memory to allocate, but an integer overflow can occur that causes less memory to be allocated than expected, leading to a buffer overflow.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Perl | Perl | * | 5.43.10 (including) |
| Perl | Ubuntu | esm-infra-legacy/trusty | * |
| Perl | Ubuntu | esm-infra-legacy/xenial | * |
| Perl | Ubuntu | esm-infra/bionic | * |
| Perl | Ubuntu | esm-infra/focal | * |
| Perl | Ubuntu | jammy | * |
| Perl | Ubuntu | noble | * |
| Perl | Ubuntu | questing | * |
| Perl | Ubuntu | resolute | * |
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/10.html
- https://cwe.mitre.org/data/definitions/100.html
- https://cwe.mitre.org/data/definitions/14.html
- https://cwe.mitre.org/data/definitions/24.html
- https://cwe.mitre.org/data/definitions/45.html
- https://cwe.mitre.org/data/definitions/46.html
- https://cwe.mitre.org/data/definitions/47.html
- https://cwe.mitre.org/data/definitions/67.html
- https://cwe.mitre.org/data/definitions/8.html
- https://cwe.mitre.org/data/definitions/9.html
- https://cwe.mitre.org/data/definitions/92.html