main/perl: backport security fixes

CVE-2018-18311, CVE-2018-18312, CVE-2018-18313, CVE-2018-18314

fixes #9730

5 files changed, 608 insertions, 2 deletions

diff --git a/main/perl/APKBUILD b/main/perl/APKBUILD
index 71f61d19ec..316430908d 100644
--- a/main/perl/APKBUILD
+++ b/main/perl/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Valery Kartel <valery.kartel@gmail.com>
 pkgname=perl
 pkgver=5.24.4
-pkgrel=1
+pkgrel=2
 pkgdesc="Larry Wall's Practical Extraction and Report Language"
 url="http://www.perl.org/"
 arch="all"
@@ -15,9 +15,18 @@ makedepends="bzip2-dev zlib-dev"
 subpackages="$pkgname-doc $pkgname-dev $pkgname-utils::noarch miniperl"
 source="http://www.cpan.org/src/5.0/perl-$pkgver.tar.gz
         CVE-2018-12015.patch
+        CVE-2018-18311.patch
+        CVE-2018-18312.patch
+        CVE-2018-18313.patch
+        CVE-2018-18314.patch
         "
 
 # secfixes:
+#   5.24.4-r2:
+#     - CVE-2018-18311
+#     - CVE-2018-18312
+#     - CVE-2018-18313
+#     - CVE-2018-18314
 #   5.24.4-r1:
 #     - CVE-2018-12015
 #   5.24.3-r0:
@@ -140,4 +149,8 @@ utils() {
 }
 
 sha512sums="796d92f47860ac0e3a22d85eb129549c4251445b3cfa8687e305c95f6205ad32a670e0d680e20245e47f0c6567b313748bce1db04208b21ff10595196e37a40b  perl-5.24.4.tar.gz
-feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916  CVE-2018-12015.patch"
+feda381bd3230443341b99135bac4d6010e9d28b619d9fb57f2dda2c29b8877f012f76d31631e5227ef79e73e0b2b162548fa24704752e61f10c05d015c68916  CVE-2018-12015.patch
+c1af39d5f293cb83b5ce8cea0835a52470cc2aa67cf541bfc20fd25c815cd9124cb6d91df979235868223ba2244ceed1336e304e10df74b40b706268ffc2b8c1  CVE-2018-18311.patch
+f785a9b94311a4a8dfdf811006c8eb540808d75922d7d5c48e567c949ebf0dc4fe2641163e1220db3a29d650c2d35ed278bb3867f8ebe626faad05bf75d32ad1  CVE-2018-18312.patch
+bcc8438fc8bceef83b23dac2e788ceb5d70f645054b5d04c555004ccfe2f85a83f835b387ee318e1ca8668afb7601eeacfc4355e8a70e98549c15b1521555318  CVE-2018-18313.patch
+df59c1cb4ca8d651d544524ae01c092f0451ec27f7d821bc7e61e1b7385161e241797e84ae85782b3869d432bca72a93bfe71590a1cf879f7c5a11b780d3c4dd  CVE-2018-18314.patch"
diff --git a/main/perl/CVE-2018-18311.patch b/main/perl/CVE-2018-18311.patch
new file mode 100644
index 0000000000..02277e93e2
--- /dev/null
+++ b/main/perl/CVE-2018-18311.patch
@@ -0,0 +1,174 @@
+From 5737d31aac51360cc1eb412ef059e36147c9d6d6 Mon Sep 17 00:00:00 2001
+From: David Mitchell <davem@iabyn.com>
+Date: Fri, 29 Jun 2018 13:37:03 +0100
+Subject: [PATCH] Perl_my_setenv(); handle integer wrap
+
+RT #133204
+
+Wean this function off int/I32 and onto UV/Size_t.
+Also, replace all malloc-ish calls with a wrapper that does
+overflow checks,
+
+In particular, it was doing (nlen + vlen + 2) which could wrap when
+the combined length of the environment variable name and value
+exceeded around 0x7fffffff.
+
+The wrapper check function is probably overkill, but belt and braces...
+
+NB this function has several variant parts, #ifdef'ed by platform
+type; I have blindly changed the parts that aren't compiled under linux.
+
+(cherry picked from commit 34716e2a6ee2af96078d62b065b7785c001194be)
+---
+ util.c | 76 ++++++++++++++++++++++++++++++++++++++++------------------
+ 1 file changed, 53 insertions(+), 23 deletions(-)
+
+diff --git a/util.c b/util.c
+index 2e053a7115f..ba5fb2ded8e 100644
+--- a/util.c
++++ b/util.c
+@@ -2064,8 +2064,40 @@ Perl_new_warnings_bitfield(pTHX_ STRLEN *buffer, const char *const bits,
+    *(s+(nlen+1+vlen)) = '\0'
+ 
+ #ifdef USE_ENVIRON_ARRAY
+-       /* VMS' my_setenv() is in vms.c */
++
++/* small wrapper for use by Perl_my_setenv that mallocs, or reallocs if
++ * 'current' is non-null, with up to three sizes that are added together.
++ * It handles integer overflow.
++ */
++static char *
++S_env_alloc(void *current, Size_t l1, Size_t l2, Size_t l3, Size_t size)
++{
++    void *p;
++    Size_t sl, l = l1 + l2;
++
++    if (l < l2)
++        goto panic;
++    l += l3;
++    if (l < l3)
++        goto panic;
++    sl = l * size;
++    if (sl < l)
++        goto panic;
++
++    p = current
++            ? safesysrealloc(current, sl)
++            : safesysmalloc(sl);
++    if (p)
++        return (char*)p;
++
++  panic:
++    croak_memory_wrap();
++}
++
++
++/* VMS' my_setenv() is in vms.c */
+ #if !defined(WIN32) && !defined(NETWARE)
++
+ void
+ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+@@ -2081,28 +2113,27 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #ifndef PERL_USE_SAFE_PUTENV
+     if (!PL_use_safe_putenv) {
+         /* most putenv()s leak, so we manipulate environ directly */
+-        I32 i;
+-        const I32 len = strlen(nam);
+-        int nlen, vlen;
++        UV i;
++        Size_t vlen, nlen = strlen(nam);
+ 
+         /* where does it go? */
+         for (i = 0; environ[i]; i++) {
+-            if (strnEQ(environ[i],nam,len) && environ[i][len] == '=')
++            if (strnEQ(environ[i], nam, nlen) && environ[i][nlen] == '=')
+                 break;
+         }
+ 
+         if (environ == PL_origenviron) {   /* need we copy environment? */
+-            I32 j;
+-            I32 max;
++            UV j, max;
+             char **tmpenv;
+ 
+             max = i;
+             while (environ[max])
+                 max++;
+-            tmpenv = (char**)safesysmalloc((max+2) * sizeof(char*));
++            /* XXX shouldn't that be max+1 rather than max+2 ??? - DAPM */
++            tmpenv = (char**)S_env_alloc(NULL, max, 2, 0, sizeof(char*));
+             for (j=0; j<max; j++) {         /* copy environment */
+-                const int len = strlen(environ[j]);
+-                tmpenv[j] = (char*)safesysmalloc((len+1)*sizeof(char));
++                const Size_t len = strlen(environ[j]);
++                tmpenv[j] = S_env_alloc(NULL, len, 1, 0, 1);
+                 Copy(environ[j], tmpenv[j], len+1, char);
+             }
+             tmpenv[max] = NULL;
+@@ -2121,15 +2152,15 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ #endif
+         }
+         if (!environ[i]) {                 /* does not exist yet */
+-            environ = (char**)safesysrealloc(environ, (i+2) * sizeof(char*));
++            environ = (char**)S_env_alloc(environ, i, 2, 0, sizeof(char*));
+             environ[i+1] = NULL;    /* make sure it's null terminated */
+         }
+         else
+             safesysfree(environ[i]);
+-        nlen = strlen(nam);
++
+         vlen = strlen(val);
+ 
+-        environ[i] = (char*)safesysmalloc((nlen+vlen+2) * sizeof(char));
++        environ[i] = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(environ[i], nam, nlen, val, vlen);
+     } else {
+@@ -2154,22 +2185,21 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+             if (environ) /* old glibc can crash with null environ */
+                 (void)unsetenv(nam);
+         } else {
+-           const int nlen = strlen(nam);
+-           const int vlen = strlen(val);
+-           char * const new_env =
+-                (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++           const Size_t nlen = strlen(nam);
++           const Size_t vlen = strlen(val);
++           char * const new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+             my_setenv_format(new_env, nam, nlen, val, vlen);
+             (void)putenv(new_env);
+         }
+ #       else /* ! HAS_UNSETENV */
+         char *new_env;
+-       const int nlen = strlen(nam);
+-       int vlen;
++       const Size_t nlen = strlen(nam);
++       Size_t vlen;
+         if (!val) {
+           val = "";
+         }
+         vlen = strlen(val);
+-        new_env = (char*)safesysmalloc((nlen + vlen + 2) * sizeof(char));
++        new_env = S_env_alloc(NULL, nlen, vlen, 2, 1);
+         /* all that work just for this */
+         my_setenv_format(new_env, nam, nlen, val, vlen);
+         (void)putenv(new_env);
+@@ -2192,14 +2222,14 @@ Perl_my_setenv(pTHX_ const char *nam, const char *val)
+ {
+     dVAR;
+     char *envstr;
+-    const int nlen = strlen(nam);
+-    int vlen;
++    const Size_t nlen = strlen(nam);
++    Size_t vlen;
+ 
+     if (!val) {
+        val = "";
+     }
+     vlen = strlen(val);
+-    Newx(envstr, nlen+vlen+2, char);
++    envstr = S_env_alloc(NULL, nlen, vlen, 2, 1);
+     my_setenv_format(envstr, nam, nlen, val, vlen);
+     (void)PerlEnv_putenv(envstr);
+     Safefree(envstr);
diff --git a/main/perl/CVE-2018-18312.patch b/main/perl/CVE-2018-18312.patch
new file mode 100644
index 0000000000..94a073e211
--- /dev/null
+++ b/main/perl/CVE-2018-18312.patch
@@ -0,0 +1,47 @@
+From df2858ea28eb2c7e00a4bd6a5ed95e4782f88333 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Mon, 24 Sep 2018 11:54:41 -0600
+Subject: [PATCH 242/242] PATCH: [perl #133423] for 5.26 maint
+
+---
+ regcomp.c       | 1 -
+ t/re/reg_mesg.t | 4 ++++
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index ca47db7573..431006e855 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -15109,7 +15109,6 @@ redo_curchar:
+                     RExC_parse++;
+                     assert(UCHARAT(RExC_parse) == ')');
+ 
+-                    RExC_parse++;
+                     RExC_flags = save_flags;
+                     goto handle_operand;
+                 }
+diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
+index 39cfcf7df1..d26a7caf37 100644
+--- a/t/re/reg_mesg.t
++++ b/t/re/reg_mesg.t
+@@ -106,6 +106,8 @@ my $high_mixed_digit = ('A' lt '0') ? '0' : 'A';
+ my $colon_hex = sprintf "%02X", ord(":");
+ my $tab_hex = sprintf "%02X", ord("\t");
+ 
++my $bug133423 = "(?[(?^:(?[\\\x00]))\\]\x00|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670";
++
+ ##
+ ## Key-value pairs of code/error of code that should have fatal errors.
+ ##
+@@ -269,6 +271,8 @@ my @death =
+  '/(?[()-!])/' => 'Incomplete expression within \'(?[ ])\' {#} m/(?[(){#}-!])/',    # [perl #126204]
+  '/(?[!()])/' => 'Incomplete expression within \'(?[ ])\' {#} m/(?[!(){#}])/',      # [perl #126404]
+  '/(?<=/' => 'Sequence (?... not terminated {#} m/(?<={#}/',                        # [perl #128170]
++ "/$bug133423/" => "Operand with no preceding operator {#} m/(?[(?^:(?[\\]))\\{#}]|2[^^]\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80\x80])R.\\670/",
++
+ );
+ 
+ # These are messages that are warnings when not strict; death under 'use re
+-- 
+2.17.1
+
diff --git a/main/perl/CVE-2018-18313.patch b/main/perl/CVE-2018-18313.patch
new file mode 100644
index 0000000000..dbd97ebf2b
--- /dev/null
+++ b/main/perl/CVE-2018-18313.patch
@@ -0,0 +1,105 @@
+From ff4e2b11ab19d0c806a3dc09308d1b393971b8aa Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dagfinn=20Ilmari=20Manns=C3=A5ker?= <ilmari@ilmari.org>
+Date: Mon, 14 Nov 2016 20:05:31 +0100
+Subject: [PATCH] Fix error message for unclosed \N{ in regcomp
+
+An unclosed \N{ that made it through to the regex engine rather than
+being handled by the lexer would erroneously trigger the error for
+"\N{NAME} must be resolved by the lexer".
+
+This separates the check for the missing trailing } and issues the
+correct error message for this.
+---
+ regcomp.c     | 8 +++++---
+ t/re/re_tests | 5 ++++-
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index ac664326f01..332cf00482e 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -12005,13 +12005,15 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+ 
+     RExC_parse++;      /* Skip past the '{' */
+ 
+-    if (! (endbrace = strchr(RExC_parse, '}'))  /* no trailing brace */
+-       || ! (endbrace == RExC_parse            /* nothing between the {} */
++    if (! (endbrace = strchr(RExC_parse, '}'))) { /* no trailing brace */
++        vFAIL2("Missing right brace on \\%c{}", 'N');
++    }
++    else if(!(endbrace == RExC_parse           /* nothing between the {} */
+               || (endbrace - RExC_parse >= 2   /* U+ (bad hex is checked... */
+                   && strnEQ(RExC_parse, "U+", 2)))) /* ... below for a better
+                                                        error msg) */
+     {
+-       if (endbrace) RExC_parse = endbrace;    /* position msg's '<--HERE' */
++       RExC_parse = endbrace;  /* position msg's '<--HERE' */
+        vFAIL("\\N{NAME} must be resolved by the lexer");
+     }
+ 
+diff --git a/t/re/re_tests b/t/re/re_tests
+index 046beaa193b..1797ddc09d9 100644
+--- a/t/re/re_tests
++++ b/t/re/re_tests
+@@ -1478,7 +1478,10 @@ abc\N    abc\n   n
+ [\N{U+}]       -       c       -       Invalid hexadecimal number
+ \N{U+4AG3}     -       c       -       Invalid hexadecimal number
+ [\N{U+4AG3}]   -       c       -       Invalid hexadecimal number
+-abc\N{def      -       c       -       \\N{NAME} must be resolved by the lexer
++abc\N{def}     -       c       -       \\N{NAME} must be resolved by the lexer
++abc\N{U+4AG3   -       c       -       Missing right brace on \\N{}
++abc\N{def      -       c       -       Missing right brace on \\N{}
++abc\N{ -       c       -       Missing right brace on \\N{}
+ 
+ # Verify that under /x that still cant have space before left brace
+ /abc\N {U+41}/x        -       c       -       Missing braces
+From c1c28ce6ba90ee05aa96b11ad551a6063680f3b9 Mon Sep 17 00:00:00 2001
+From: Karl Williamson <khw@cpan.org>
+Date: Sat, 25 Mar 2017 15:00:22 -0600
+Subject: [PATCH] regcomp.c: Convert some strchr to memchr
+
+This allows things to work properly in the face of embedded NULs.
+See the branch merge message for more information.
+
+(cherry picked from commit 43b2f4ef399e2fd7240b4eeb0658686ad95f8e62)
+---
+ regcomp.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/regcomp.c b/regcomp.c
+index 431006e8551..4ee48ede423 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -12023,7 +12023,8 @@ S_grok_bslash_N(pTHX_ RExC_state_t *pRExC_state,
+ 
+     RExC_parse++;      /* Skip past the '{' */
+ 
+-    if (! (endbrace = strchr(RExC_parse, '}'))) { /* no trailing brace */
++    endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++    if (! endbrace) { /* no trailing brace */
+         vFAIL2("Missing right brace on \\%c{}", 'N');
+     }
+     else if(!(endbrace == RExC_parse           /* nothing between the {} */
+@@ -12692,9 +12693,11 @@ S_regatom(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth)
+             else {
+                 STRLEN length;
+                 char name = *RExC_parse;
+-                char * endbrace;
++                char * endbrace = NULL;
+                 RExC_parse += 2;
+-                endbrace = strchr(RExC_parse, '}');
++                if (RExC_parse < RExC_end) {
++                    endbrace = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
++                }
+ 
+                 if (! endbrace) {
+                     vFAIL2("Missing right brace on \\%c{}", name);
+@@ -16228,7 +16231,7 @@ S_regclass(pTHX_ RExC_state_t *pRExC_state, I32 *flagp, U32 depth,
+                    vFAIL2("Empty \\%c", (U8)value);
+                if (*RExC_parse == '{') {
+                    const U8 c = (U8)value;
+-                   e = strchr(RExC_parse, '}');
++                   e = (char *) memchr(RExC_parse, '}', RExC_end - RExC_parse);
+                     if (!e) {
+                         RExC_parse++;
+                         vFAIL2("Missing right brace on \\%c{}", c);
diff --git a/main/perl/CVE-2018-18314.patch b/main/perl/CVE-2018-18314.patch
new file mode 100644
index 0000000000..3219dbf4af
--- /dev/null
+++ b/main/perl/CVE-2018-18314.patch
@@ -0,0 +1,267 @@
+From dabe076af345ab4512ea80245b4e4cd7ec0996cd Mon Sep 17 00:00:00 2001
+From: Yves Orton <demerphq@gmail.com>
+Date: Mon, 26 Jun 2017 13:19:55 +0200
+Subject: [PATCH] fix #131649 - extended charclass can trigger assert
+
+The extended charclass parser makes some assumptions during the
+first pass which are only true on well structured input, and it
+does not properly catch various errors. later on the code assumes
+that things the first pass will let through are valid, when in
+fact they should trigger errors.
+
+(cherry picked from commit 19a498a461d7c81ae3507c450953d1148efecf4f)
+---
+ pod/perldiag.pod        | 27 ++++++++++++++++++++++++++-
+ pod/perlrecharclass.pod |  4 ++--
+ regcomp.c               | 28 ++++++++++++++++++----------
+ t/lib/warnings/regcomp  |  6 +++---
+ t/re/reg_mesg.t         | 29 ++++++++++++++++-------------
+ t/re/regex_sets.t       |  6 +++---
+ 6 files changed, 68 insertions(+), 32 deletions(-)
+
+diff --git a/pod/perldiag.pod b/pod/perldiag.pod
+index 106fe41121f..c29925a2a4e 100644
+--- a/pod/perldiag.pod
++++ b/pod/perldiag.pod
+@@ -5904,7 +5904,7 @@ yourself.
+ a perl4 interpreter, especially if the next 2 tokens are "use strict"
+ or "my $var" or "our $var".
+ 
+-=item Syntax error in (?[...]) in regex m/%s/
++=item Syntax error in (?[...]) in regex; marked by <-- HERE in m/%s/
+ 
+ (F) Perl could not figure out what you meant inside this construct; this
+ notifies you that it is giving up trying.
+@@ -6402,6 +6402,31 @@ to find out why that isn't happening.
+ (F) The unexec() routine failed for some reason.  See your local FSF
+ representative, who probably put it there in the first place.
+ 
++=item Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing an extended character class a ']' character was encountered
++at a point in the definition where the only legal use of ']' is to close the
++character class definition as part of a '])', you may have forgotten the close
++paren, or otherwise confused the parser.
++
++=item Expecting close paren for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++    (?[ ... (?flags:(?[ ... ])) ... ])
++                             ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
++=item Expecting close paren for wrapper for nested extended charclass in regex; marked by <-- HERE in m/%s/
++
++(F) While parsing a nested extended character class like:
++
++    (?[ ... (?flags:(?[ ... ])) ... ])
++                              ^
++
++we expected to see a close paren ')' (marked by ^) but did not.
++
+ =item Unexpected binary operator '%c' with no preceding operand in regex;
+ marked by S<<-- HERE> in m/%s/
+ 
+diff --git a/pod/perlrecharclass.pod b/pod/perlrecharclass.pod
+index 79480e41312..8c008507d1f 100644
+--- a/pod/perlrecharclass.pod
++++ b/pod/perlrecharclass.pod
+@@ -1128,8 +1128,8 @@ hence both of the following work:
+ Any contained POSIX character classes, including things like C<\w> and C<\D>
+ respect the C<E<sol>a> (and C<E<sol>aa>) modifiers.
+ 
+-C<< (?[ ]) >> is a regex-compile-time construct.  Any attempt to use
+-something which isn't knowable at the time the containing regular
++Note that C<< (?[ ]) >> is a regex-compile-time construct.  Any attempt
++to use something which isn't knowable at the time the containing regular
+ expression is compiled is a fatal error.  In practice, this means
+ just three limitations:
+ 
+diff --git a/regcomp.c b/regcomp.c
+index 4ee48ede423..ddac290d2bf 100644
+--- a/regcomp.c
++++ b/regcomp.c
+@@ -14840,8 +14840,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+                                     TRUE /* Force /x */ );
+ 
+             switch (*RExC_parse) {
+-                case '?':
+-                    if (RExC_parse[1] == '[') depth++, RExC_parse++;
++                case '(':
++                    if (RExC_parse[1] == '?' && RExC_parse[2] == '[')
++                        depth++, RExC_parse+=2;
+                     /* FALLTHROUGH */
+                 default:
+                     break;
+@@ -14898,9 +14899,9 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+                 }
+ 
+                 case ']':
+-                    if (depth--) break;
+-                    RExC_parse++;
+-                    if (*RExC_parse == ')') {
++                    if (RExC_parse[1] == ')') {
++                        RExC_parse++;
++                        if (depth--) break;
+                         node = reganode(pRExC_state, ANYOF, 0);
+                         RExC_size += ANYOF_SKIP;
+                         nextchar(pRExC_state);
+@@ -14912,20 +14913,25 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+ 
+                         return node;
+                     }
+-                    goto no_close;
++                    /* We output the messages even if warnings are off, because we'll fail
++                     * the very next thing, and these give a likely diagnosis for that */
++                    if (posix_warnings && av_tindex_nomg(posix_warnings) >= 0) {
++                        output_or_return_posix_warnings(pRExC_state, posix_warnings, NULL);
++                    }
++                    RExC_parse++;
++                    vFAIL("Unexpected ']' with no following ')' in (?[...");
+             }
+ 
+             RExC_parse += UTF ? UTF8SKIP(RExC_parse) : 1;
+         }
+ 
+-      no_close:
+         /* We output the messages even if warnings are off, because we'll fail
+          * the very next thing, and these give a likely diagnosis for that */
+         if (posix_warnings && av_tindex_nomg(posix_warnings) >= 0) {
+             output_or_return_posix_warnings(pRExC_state, posix_warnings, NULL);
+         }
+ 
+-        FAIL("Syntax error in (?[...])");
++        vFAIL("Syntax error in (?[...])");
+     }
+ 
+     /* Pass 2 only after this. */
+@@ -15105,12 +15111,14 @@ S_handle_regex_sets(pTHX_ RExC_state_t *pRExC_state, SV** return_invlist,
+                      * inversion list, and RExC_parse points to the trailing
+                      * ']'; the next character should be the ')' */
+                     RExC_parse++;
+-                    assert(UCHARAT(RExC_parse) == ')');
++                    if (UCHARAT(RExC_parse) != ')')
++                        vFAIL("Expecting close paren for nested extended charclass");
+ 
+                     /* Then the ')' matching the original '(' handled by this
+                      * case: statement */
+                     RExC_parse++;
+-                    assert(UCHARAT(RExC_parse) == ')');
++                    if (UCHARAT(RExC_parse) != ')')
++                        vFAIL("Expecting close paren for wrapper for nested extended charclass");
+ 
+                     RExC_flags = save_flags;
+                     goto handle_operand;
+diff --git a/t/lib/warnings/regcomp b/t/lib/warnings/regcomp
+index 2b084c59b02..51ad57ccbe3 100644
+--- a/t/lib/warnings/regcomp
++++ b/t/lib/warnings/regcomp
+@@ -59,21 +59,21 @@ Unmatched [ in regex; marked by <-- HERE in m/abc[ <-- HERE fi[.00./ at - line
+ qr/(?[[[:word]]])/;
+ EXPECT
+ Assuming NOT a POSIX class since there is no terminating ':' in regex; marked by <-- HERE in m/(?[[[:word <-- HERE ]]])/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:word]]])/ at - line 2.
++Unexpected ']' with no following ')' in (?[... in regex; marked by <-- HERE in m/(?[[[:word]] <-- HERE ])/ at - line 2.
+ ########
+ # NAME qr/(?[ [[:digit: ])/
+ # OPTION fatal
+ qr/(?[[[:digit: ])/;
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME qr/(?[ [:digit: ])/
+ # OPTION fatal
+ qr/(?[[:digit: ])/
+ EXPECT
+ Assuming NOT a POSIX class since no blanks are allowed in one in regex; marked by <-- HERE in m/(?[[:digit: ] <-- HERE )/ at - line 2.
+-syntax error in (?[...]) in regex m/(?[[:digit: ])/ at - line 2.
++syntax error in (?[...]) in regex; marked by <-- HERE in m/(?[[:digit: ]) <-- HERE / at - line 2.
+ ########
+ # NAME [perl #126141]
+ # OPTION fatal
+diff --git a/t/re/reg_mesg.t b/t/re/reg_mesg.t
+index d26a7caf378..5194d937519 100644
+--- a/t/re/reg_mesg.t
++++ b/t/re/reg_mesg.t
+@@ -215,8 +215,9 @@ my @death =
+  '/\b{gc}/' => "'gc' is an unknown bound type {#} m/\\b{gc{#}}/",
+  '/\B{gc}/' => "'gc' is an unknown bound type {#} m/\\B{gc{#}}/",
+ 
+- '/(?[[[::]]])/' => "Syntax error in (?[...]) in regex m/(?[[[::]]])/",
+- '/(?[[[:w:]]])/' => "Syntax error in (?[...]) in regex m/(?[[[:w:]]])/",
++
++ '/(?[[[::]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[::]]{#}])/",
++ '/(?[[[:w:]]])/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[[[:w:]]{#}])/",
+  '/(?[[:w:]])/' => "",
+  '/([.].*)[.]/'   => "",    # [perl #127582]
+  '/[.].*[.]/'     => "",    # [perl #127604]
+@@ -239,11 +240,12 @@ my @death =
+  '/(?[ \p{foo} ])/' => 'Can\'t find Unicode property definition "foo" {#} m/(?[ \p{foo}{#} ])/',
+  '/(?[ \p{ foo = bar } ])/' => 'Can\'t find Unicode property definition "foo = bar" {#} m/(?[ \p{ foo = bar }{#} ])/',
+  '/(?[ \8 ])/' => 'Unrecognized escape \8 in character class {#} m/(?[ \8{#} ])/',
+- '/(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ]/',
+- '/(?[ [ \t ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ \t ]/',
+- '/(?[ \t ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ \t ] ]/',
+- '/(?[ [ ] ]/' => 'Syntax error in (?[...]) in regex m/(?[ [ ] ]/',
+- '/(?[ \t + \e # This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # This was supposed to be a comment ])/',
++ '/(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#}/",
++ '/(?[ [ \t ]/' => "Syntax error in (?[...]) {#} m/(?[ [ \\t ]{#}/",
++ '/(?[ \t ] ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/(?[ \\t ]{#} ]/",
++ '/(?[ [ ] ]/' => "Syntax error in (?[...]) {#} m/(?[ [ ] ]{#}/",
++ '/(?[ \t + \e # This was supposed to be a comment ])/' =>
++    "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # This was supposed to be a comment ]){#}/",
+  '/(?[ ])/' => 'Incomplete expression within \'(?[ ])\' {#} m/(?[ {#}])/',
+  'm/(?[[a-\d]])/' => 'False [] range "a-\d" {#} m/(?[[a-\d{#}]])/',
+  'm/(?[[\w-x]])/' => 'False [] range "\w-" {#} m/(?[[\w-{#}x]])/',
+@@ -431,10 +433,10 @@ my @death_utf8 = mark_as_utf8(
+ 
+  '/ネ\p{}ネ/' => 'Empty \p{} {#} m/ネ\p{{#}}ネ/',
+ 
+- '/ネ(?[[[:ネ]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ]]])ネ/",
+- '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ: ])ネ/",
+- '/ネ(?[[[::]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[::]]])ネ/",
+- '/ネ(?[[[:ネ:]]])ネ/' => "Syntax error in (?[...]) in regex m/ネ(?[[[:ネ:]]])ネ/",
++ '/ネ(?[[[:ネ]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ]]{#}])ネ/",
++ '/ネ(?[[[:ネ: ])ネ/' => "Syntax error in (?[...]) {#} m/ネ(?[[[:ネ: ])ネ{#}/",
++ '/ネ(?[[[::]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[::]]{#}])ネ/",
++ '/ネ(?[[[:ネ:]]])ネ/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[[[:ネ:]]{#}])ネ/",
+  '/ネ(?[[:ネ:]])ネ/' => "",
+  '/ネ(?[ネ])ネ/' =>  'Unexpected character {#} m/ネ(?[ネ{#}])ネ/',
+  '/ネ(?[ + [ネ] ])/' => 'Unexpected binary operator \'+\' with no preceding operand {#} m/ネ(?[ +{#} [ネ] ])/',
+@@ -447,8 +449,9 @@ my @death_utf8 = mark_as_utf8(
+  '/(?[ \x{ネ} ])ネ/' => 'Non-hex character {#} m/(?[ \x{ネ{#}} ])ネ/',
+  '/(?[ \p{ネ} ])/' => 'Can\'t find Unicode property definition "ネ" {#} m/(?[ \p{ネ}{#} ])/',
+  '/(?[ \p{ ネ = bar } ])/' => 'Can\'t find Unicode property definition "ネ = bar" {#} m/(?[ \p{ ネ = bar }{#} ])/',
+- '/ネ(?[ \t ]/' => 'Syntax error in (?[...]) in regex m/ネ(?[ \t ]/',
+- '/(?[ \t + \e # ネ This was supposed to be a comment ])/' => 'Syntax error in (?[...]) in regex m/(?[ \t + \e # ネ This was supposed to be a comment ])/',
++ '/ネ(?[ \t ]/' => "Unexpected ']' with no following ')' in (?[... {#} m/ネ(?[ \\t ]{#}/",
++ '/(?[ \t + \e # ネ This was supposed to be a comment ])/' =>
++    "Syntax error in (?[...]) {#} m/(?[ \\t + \\e # ネ This was supposed to be a comment ]){#}/",
+  'm/(*ネ)ネ/' => q<Unknown verb pattern 'ネ' {#} m/(*ネ){#}ネ/>,
+  '/\cネ/' => "Character following \"\\c\" must be printable ASCII",
+  '/\b{ネ}/' => "'ネ' is an unknown bound type {#} m/\\b{ネ{#}}/",
+diff --git a/t/re/regex_sets.t b/t/re/regex_sets.t
+index 6a79f9d6928..e9644bd4e61 100644
+--- a/t/re/regex_sets.t
++++ b/t/re/regex_sets.t
+@@ -158,13 +158,13 @@ for my $char ("٠", "٥", "٩") {
+        eval { $_ = '/(?[(\c]) /'; qr/$_/ };
+        like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
+        eval { $_ = '(?[\c#]' . "\n])"; qr/$_/ };
+-       like($@, qr/^Syntax error/, '/(?[(\c]) / should not panic');
++       like($@, qr/^Unexpected/, '/(?[(\c]) / should not panic');
+        eval { $_ = '(?[(\c])'; qr/$_/ };
+        like($@, qr/^Syntax error/, '/(?[(\c])/ should be a syntax error');
+        eval { $_ = '(?[(\c]) ]\b'; qr/$_/ };
+-       like($@, qr/^Syntax error/, '/(?[(\c]) ]\b/ should be a syntax error');
++       like($@, qr/^Unexpected/, '/(?[(\c]) ]\b/ should be a syntax error');
+        eval { $_ = '(?[\c[]](])'; qr/$_/ };
+-       like($@, qr/^Syntax error/, '/(?[\c[]](])/ should be a syntax error');
++       like($@, qr/^Unexpected/, '/(?[\c[]](])/ should be a syntax error');
+        like("\c#", qr/(?[\c#])/, '\c# should match itself');
+        like("\c[", qr/(?[\c[])/, '\c[ should match itself');
+        like("\c\ ", qr/(?[\c\])/, '\c\ should match itself');