CVE-2020-12723

An attacker supplies a specially crafted regular expression that triggers recursive `S_study_chunk` calls via GOSUB. During recursion, the function mutates regexp program nodes (e.g., via `JOIN_EXACT` or trie optimization) that are still needed by the outer frame. When the outer frame later processes the already-mutated nodes, it can read or write past allocated buffer boundaries [ref_id=1]. The attack requires no special privileges—only the ability to compile a user-supplied regex pattern, which is common in Perl applications that accept regex input.

The vulnerability resides in `S_study_chunk()` within `regcomp.c`. The function performs peephole optimizations on the regexp program, including `JOIN_EXACT`, trie construction, and node-type mutations (e.g., `EXACTFU_S_EDGE` to `EXACTFU`, `CURLYX` to `CURLYN`/`CURLYM`). These mutations are unsafe when performed inside a GOSUB recursion frame because the same program nodes may be visited again at the outer level, leading to a buffer overflow via a crafted regular expression [ref_id=1].

The patch introduces a `mutate_ok` boolean parameter to `S_study_chunk()` and a `in_gosub` flag on the scan frame. The top-level call passes `was_mutate_ok=TRUE` [ref_id=1]. Inside any frame where `in_gosub` is set (either directly on a GOSUB node or inherited from an outer frame), `mutate_ok` becomes false, suppressing all node-mutating optimizations (`JOIN_EXACT`, trie building, `CURLYX`→`CURLYN`/`CURLYM` conversion, `EXACTFU_S_EDGE` folding, and case-fold optimizations) [ref_id=1]. This prevents double-mutation of the regexp program and eliminates the buffer overflow.