Segmentation Fault in Perl 5.21.8 while fuzzing Perl binary

[p5pRT]

Migrated from rt.perl.org#123539 (status was 'resolved')

Searchable as RT123539$

[p5pRT]

From @geeknik

I cloned the git repo on 01/02/2015 and built from source using the afl-gcc
compiler​:

CC=/path/to/afl-gcc ./Configure
AFL_HARDEN=1 make

This is perl 5, version 21, subversion 8 (v5.21.8 (v5.21.7-209-g4e27940))
built for x86_64-linux

Besides the above information, this version of Perl was compiled using all
defaults (enter was pressed for every question).

While fuzzing the new perl binary, I found a testcase that causes a
segfault. I've attached the file for inclusion in the bug report. Please
note that a file named = containing zero bytes was also created in a tmp
directory around 1 minute 5 seconds before the testcase was written to
disk. Not sure if this is related but I wanted to add the information just
in case it was important. Please advise if this is a security issue and if
you will handle the CVE request.

@​@​ VALGRIND OUTPUT @​@​

valgrind -q /home/geeknik/perl5/perl
./id\​:000000\,sig\​:11\,src\​:002461+016504\,op\​:splice\,rep\​:32
==54123== Use of uninitialised value of size 8
==54123== at 0x651E15​: S_regatom (regcomp.c​:12632)
==54123== by 0x656B49​: S_regpiece (regcomp.c​:10821)
==54123== by 0x65AB0D​: S_regbranch (regcomp.c​:10747)
==54123== by 0x66C9A5​: S_reg.constprop.9 (regcomp.c​:10497)
==54123== by 0x690D3B​: Perl_re_op_compile (regcomp.c​:6697)
==54123== by 0x4C1222​: Perl_pmruntime (op.c​:5629)
==54123== by 0x5CBEBC​: Perl_yyparse (perly.y​:1000)
==54123== by 0x4F3114​: perl_parse (perl.c​:2273)
==54123== by 0x42A92B​: main (perlmain.c​:114)
==54123==
==54123== Invalid write of size 1
==54123== at 0x64C878​: S_regatom (regcomp.c​:12484)
==54123== by 0x656B49​: S_regpiece (regcomp.c​:10821)
==54123== by 0x65AB0D​: S_regbranch (regcomp.c​:10747)
==54123== by 0x66C9A5​: S_reg.constprop.9 (regcomp.c​:10497)
==54123== by 0x693D3B​: Perl_re_op_compile (regcomp.c​:6895)
==54123== by 0x4C1222​: Perl_pmruntime (op.c​:5629)
==54123== by 0x5CBEBC​: Perl_yyparse (perly.y​:1000)
==54123== by 0x4F3114​: perl_parse (perl.c​:2273)
==54123== by 0x42A92B​: main (perlmain.c​:114)
==54123== Address 0x5eea96c is 0 bytes after a block of size 3,500 alloc'd
==54123== at 0x4C28BED​: malloc (vg_replace_malloc.c​:263)
==54123== by 0x6CEFBC​: Perl_safesysmalloc (util.c​:144)
==54123== by 0x692C7A​: Perl_re_op_compile (regcomp.c​:6746)
==54123== by 0x4C1222​: Perl_pmruntime (op.c​:5629)
==54123== by 0x5CBEBC​: Perl_yyparse (perly.y​:1000)
==54123== by 0x4F3114​: perl_parse (perl.c​:2273)
==54123== by 0x42A92B​: main (perlmain.c​:114)
==54123==
syntax error at ./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line
11, near "printr)"
Unknown regexp modifier "/b" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/G" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/e" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/r" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
panic​: reg_node overrun trying to emit 0, 5eea97c>=5eea96c at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 20.

@​@​ GDB OUTPUT @​@​

gdb /home/geeknik/perl5/perl core
GNU gdb (GDB) 7.4.1-debian
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html

This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /home/geeknik/perl5/perl...done.
[New LWP 12797]

warning​: Can't read pathname for load map​: Input/output error.
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/home/geeknik/perl5/perl
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32'.
Program terminated with signal 11, Segmentation fault.
#0 0x00007f1223db11f0 in _int_free (av=0x7f12240c0e40, p=0x238f260) at
malloc.c​:5002
5002 malloc.c​: No such file or directory.
(gdb) bt
#0 0x00007f1223db11f0 in _int_free (av=0x7f12240c0e40, p=0x238f260) at
malloc.c​:5002
#1 0x00007f1223db47bc in *__GI___libc_free (mem=<optimized out>) at
malloc.c​:3738
#2 0x00000000007bf7e8 in Perl_sv_clear (orig_sv=orig_sv@​entry=0x238bbf8)
at sv.c​:6743
#3 0x00000000007b75f8 in Perl_sv_free2 (sv=0x238bbf8, rc=<optimized out>)
at sv.c​:7018
#4 0x000000000043cc85 in S_SvREFCNT_dec (sv=<optimized out>) at
inline.h​:166
#5 Perl_op_clear (o=o@​entry=0x238df50) at op.c​:931
#6 0x000000000043d568 in Perl_op_free (o=0x238df50) at op.c​:781
#7 0x000000000043e119 in Perl_opslab_force_free (slab=0x2389980) at
op.c​:443
#8 0x00000000005f12c1 in Perl_cv_undef_flags (cv=0x2368328, flags=0) at
pad.c​:350
#9 0x00000000007bedc0 in Perl_sv_clear (orig_sv=orig_sv@​entry=0x2368328)
at sv.c​:6592
#10 0x00000000007b75f8 in Perl_sv_free2 (sv=0x2368328, rc=<optimized out>)
at sv.c​:7018
#11 0x00000000004e77b5 in S_SvREFCNT_dec (sv=<optimized out>) at
inline.h​:166
#12 perl_destruct (my_perl=<optimized out>) at perl.c​:780
#13 0x000000000042ab24 in main (argc=2, argv=0x7fff5c8b3a58,
env=0x7fff5c8b3a70) at perlmain.c​:127
#14 0x00007f1223d57ead in __libc_start_main (main=<optimized out>,
argc=<optimized out>,
  ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>,
  stack_end=0x7fff5c8b3a48) at libc-start.c​:244
#15 0x000000000042ac45 in _start ()
(gdb)

geeknik@​deb7fuzz​:~/perl5/utils$ ./perlbug -d

---

Flags​:
  category=core
  severity=low

---

This perlbug was built using Perl 5.21.8 - Fri Jan 2 19​:02​:59 CST 2015
It is being executed now by Perl 5.21.7 - Thu Dec 18 14​:34​:01 CST 2014.

Site configuration information for perl 5.21.7​:

Configured by geeknik at Thu Dec 18 14​:34​:01 CST 2014.

Summary of my perl5 (revision 5 version 21 subversion 7) configuration​:
  Commit id​: e9d2bd8
  Platform​:
  osname=linux, osvers=3.2.0-4-amd64, archname=x86_64-linux
  uname='linux deb7fuzz 3.2.0-4-amd64 #1 smp debian 3.2.63-2+deb7u2
x86_64 gnulinux '
  config_args=''
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='/home/geeknik/afl/afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2',
  optimize='-O2',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
  ccversion='', gccversion='4.7.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678,
doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16,
longdblkind=3
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='/home/geeknik/afl/afl-gcc', ldflags =' -fstack-protector
-L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.7/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lnsl -ldl -lm -lcrypt -lutil -lc -lpthread
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc -lpthread
  libc=libc-2.13.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.13'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -L/usr/local/lib
-fstack-protector'

---

@​INC for perl 5.21.7​:
  /usr/local/lib/perl5/site_perl/5.21.7/x86_64-linux
  /usr/local/lib/perl5/site_perl/5.21.7
  /usr/local/lib/perl5/5.21.7/x86_64-linux
  /usr/local/lib/perl5/5.21.7
  .

---

Environment for perl 5.21.7​:
  HOME=/home/geeknik
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games
  PERL_BADLANG (unset)
  SHELL=/bin/bash

[p5pRT]

From @geeknik

crash.gz

[p5pRT]

From @jkeenan

On Sat Jan 03 11​:49​:13 2015, brian.carpenter@​gmail.com wrote​:

I cloned the git repo on 01/02/2015 and built from source using the afl-gcc
compiler​:

CC=/path/to/afl-gcc ./Configure
AFL_HARDEN=1 make

Can you describe how one obtains the afl-gcc compiler?

This is perl 5, version 21, subversion 8 (v5.21.8 (v5.21.7-209-g4e27940))
built for x86_64-linux

Besides the above information, this version of Perl was compiled using all
defaults (enter was pressed for every question).

While fuzzing the new perl binary, I found a testcase that causes a
segfault. I've attached the file for inclusion in the bug report. Please
note that a file named = containing zero bytes was also created in a tmp
directory around 1 minute 5 seconds before the testcase was written to
disk. Not sure if this is related but I wanted to add the information just
in case it was important. Please advise if this is a security issue and if
you will handle the CVE request.

I'm a bit puzzled about the test case, since, insofar as it is intended to be a perl program, it fails to compile. It reports a syntax error near 'printr)'. Can you clarify?

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @mauke

Am 03.01.2015 um 22​:54 schrieb James E Keenan via RT​:

On Sat Jan 03 11​:49​:13 2015, brian.carpenter@​gmail.com wrote​:

I cloned the git repo on 01/02/2015 and built from source using the afl-gcc
compiler​:

CC=/path/to/afl-gcc ./Configure
AFL_HARDEN=1 make

Can you describe how one obtains the afl-gcc compiler?

http​://lcamtuf.coredump.cx/afl/

This is perl 5, version 21, subversion 8 (v5.21.8 (v5.21.7-209-g4e27940))
built for x86_64-linux

Besides the above information, this version of Perl was compiled using all
defaults (enter was pressed for every question).

While fuzzing the new perl binary, I found a testcase that causes a
segfault. I've attached the file for inclusion in the bug report. Please
note that a file named = containing zero bytes was also created in a tmp
directory around 1 minute 5 seconds before the testcase was written to
disk. Not sure if this is related but I wanted to add the information just
in case it was important. Please advise if this is a security issue and if
you will handle the CVE request.

I'm a bit puzzled about the test case, since, insofar as it is intended to be a perl program, it fails to compile. It reports a syntax error near 'printr)'. Can you clarify?

As the original bug report says​:

syntax error at ./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32
line 11, near "printr)"
Unknown regexp modifier "/b" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/G" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/e" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
Unknown regexp modifier "/r" at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 17, at end of
line
panic​: reg_node overrun trying to emit 0, 5eea97c>=5eea96c at
./id​:000000,sig​:11,src​:002461+016504,op​:splice,rep​:32 line 20.

Perl panics/crashes while trying to handle a syntax error, apparently.

--
Lukas Mai <plokinom@​gmail.com>

[p5pRT]

From @geeknik

The original test case that I fed to AFL was this​:

#!/usr/local/bin/perl
print "Content-type​: text/html\n\n";
print "Hello World.\n";
print "Heres the form info​:<P>\n";
my($buffer);
my(@​pairs);
my($pair);
read(STDIN,$buffer,$ENV{'CONTENT_LENGTH'});
@​pairs = split(/&/, $buffer);
foreach $pair (@​pairs)
  {
  print "$pair<BR>\n"
  }
print "<P>Note that further parsing is\n";
print "necessary to turn the plus signs\n";
print "into spaces and get rid of some\n";
print "other web encoding.\n";

After about 25 million iterations, that script was turned into the test
case that I submitted. Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

[p5pRT]

From @geeknik

The afl-gcc is available as part of American Fuzzy Lop which you can obtain
from here​: http​://lcamtuf.coredump.cx/afl/

[p5pRT]

From @cpansprout

On Sat Jan 03 14​:50​:18 2015, brian.carpenter@​gmail.com wrote​:

Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

Yes, it should. I don’t get a crash when I run the script. I do get a panic message, though, in bleadperl and in 5.20.1. 5.18.3 just shows ‘normal’ errors, no panics. I’m going to run a bisect.

--

Father Chrysostomos

[p5pRT]

From @cpansprout

On Sat Jan 03 17​:35​:31 2015, sprout wrote​:

On Sat Jan 03 14​:50​:18 2015, brian.carpenter@​gmail.com wrote​:

Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

Yes, it should. I don’t get a crash when I run the script. I do get
a panic message, though, in bleadperl and in 5.20.1. 5.18.3 just
shows ‘normal’ errors, no panics. I’m going to run a bisect.

31f05a3 is the first bad commit
commit 31f05a3
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Mon Jan 27 15​:35​:00 2014 -0700

  Work properly under UTF-8 LC_CTYPE locales
 
  This large (sorry, I couldn't figure out how to meaningfully split it
  up) commit causes Perl to fully support LC_CTYPE operations (case
  changing, character classification) in UTF-8 locales.
 
  As a side effect it resolves [perl #56820].

--

Father Chrysostomos

[p5pRT]

From @cpansprout

On Sat Jan 03 18​:00​:41 2015, sprout wrote​:

On Sat Jan 03 17​:35​:31 2015, sprout wrote​:

On Sat Jan 03 14​:50​:18 2015, brian.carpenter@​gmail.com wrote​:

Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

Yes, it should. I don’t get a crash when I run the script. I do get
a panic message, though, in bleadperl and in 5.20.1. 5.18.3 just
shows ‘normal’ errors, no panics. I’m going to run a bisect.

31f05a3 is the first bad commit
commit 31f05a3
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Mon Jan 27 15​:35​:00 2014 -0700

Work properly under UTF\-8 LC\_CTYPE locales

This large \(sorry\, I couldn't figure out how to meaningfully split it
up\) commit causes Perl to fully support LC\_CTYPE operations \(case
changing\, character classification\) in UTF\-8 locales\.

As a side effect it resolves \[perl \#56820\]\.

Reduced case. This appears to have nothing to do with the syntax error.

/TffffffffffffTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT5TT
TTTTTTTTTTTTTTTTTTTTTTT3TTgTTTTTTTTTTTTTTTTTTTTT2TTTTTTTTTTTTTTTTTTTTTT
THHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHiHHHHHH
Hffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffff&ffff/il

The output I get is​:

panic​: reg_node overrun trying to emit 0, 7fcdf140cca8>=7fcdf140cca4 at /Users/sprout/Downloads/crash line 7.

With some variations of the above, I got malloc errors.

--

Father Chrysostomos

[p5pRT]

From @khwilliamson

On 01/03/2015 08​:39 PM, Father Chrysostomos via RT wrote​:

On Sat Jan 03 18​:00​:41 2015, sprout wrote​:

On Sat Jan 03 17​:35​:31 2015, sprout wrote​:

On Sat Jan 03 14​:50​:18 2015, brian.carpenter@​gmail.com wrote​:

Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

Yes, it should. I don’t get a crash when I run the script. I do get
a panic message, though, in bleadperl and in 5.20.1. 5.18.3 just
shows ‘normal’ errors, no panics. I’m going to run a bisect.

31f05a3 is the first bad commit
commit 31f05a3
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Mon Jan 27 15​:35​:00 2014 -0700

 Work properly under UTF\-8 LC\_CTYPE locales

 This large \(sorry\, I couldn't figure out how to meaningfully split it
 up\) commit causes Perl to fully support LC\_CTYPE operations \(case
 changing\, character classification\) in UTF\-8 locales\.

 As a side effect it resolves \[perl \#56820\]\.

Reduced case. This appears to have nothing to do with the syntax error.

/TffffffffffffTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT5TT
TTTTTTTTTTTTTTTTTTTTTTT3TTgTTTTTTTTTTTTTTTTTTTTT2TTTTTTTTTTTTTTTTTTTTTT
THHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHiHHHHHH
Hffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffff&ffff/il

The output I get is​:

panic​: reg_node overrun trying to emit 0, 7fcdf140cca8>=7fcdf140cca4 at /Users/sprout/Downloads/crash line 7.

With some variations of the above, I got malloc errors.

I didn't get these errors, but I did see some valgrind issues, which the
attached patch resolves. Please try it out to see if it fixes your
problems.

[p5pRT]

From @khwilliamson

0003-Trial-patch-for-perl-123539-Segmentation-Fault-in-Pe.patch

From 29adfaedc3d0dec9ff288c7c40642e85018b57cf Mon Sep 17 00:00:00 2001
From: Karl Williamson <khw@cpan.org>
Date: Sat, 3 Jan 2015 22:30:05 -0700
Subject: [PATCH 3/3] Trial patch for [perl #123539] Segmentation Fault in Perl
 5.21.8

---
 regcomp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/regcomp.c b/regcomp.c
index 78c614d..82d45e8 100644
--- a/regcomp.c
+++ b/regcomp.c
@@ -12444,7 +12444,9 @@ tryagain:
                         && is_PROBLEMATIC_LOCALE_FOLD_cp(ender)))
                 {
                     if (UTF) {
-                        const STRLEN unilen = reguni(pRExC_state, ender, s);
+                        const STRLEN unilen = (SIZE_ONLY && ! FOLD)
+                                               ? UNISKIP(ender)
+                                               : (uvchr_to_utf8((U8*)s, ender) - (U8*)s);
                         if (unilen > 0) {
                            s   += unilen;
                            len += unilen;
@@ -12457,6 +12459,9 @@ tryagain:
                          * cancel out the increment that follows */
                         len--;
                     }
+                    else if (FOLD) {
+                        *(s++) = (char) ender;
+                    }
                     else {
                         REGC((char)ender, s++);
                     }
-- 
1.9.1

[p5pRT]

From @cpansprout

On Sat Jan 03 21​:33​:22 2015, public@​khwilliamson.com wrote​:

On 01/03/2015 08​:39 PM, Father Chrysostomos via RT wrote​:

On Sat Jan 03 18​:00​:41 2015, sprout wrote​:

On Sat Jan 03 17​:35​:31 2015, sprout wrote​:

On Sat Jan 03 14​:50​:18 2015, brian.carpenter@​gmail.com wrote​:

Shouldn't perl fail gracefully instead of just
crashing because of invalid input/characters/etc?

Yes, it should. I don’t get a crash when I run the script. I do
get
a panic message, though, in bleadperl and in 5.20.1. 5.18.3 just
shows ‘normal’ errors, no panics. I’m going to run a bisect.

31f05a3 is the first bad commit
commit 31f05a3
Author​: Karl Williamson <public@​khwilliamson.com>
Date​: Mon Jan 27 15​:35​:00 2014 -0700

Work properly under UTF-8 LC_CTYPE locales

This large (sorry, I couldn't figure out how to meaningfully split
it
up) commit causes Perl to fully support LC_CTYPE operations (case
changing, character classification) in UTF-8 locales.

As a side effect it resolves [perl #56820].

Reduced case. This appears to have nothing to do with the syntax
error.

/TffffffffffffTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT5TT
TTTTTTTTTTTTTTTTTTTTTTT3TTgTTTTTTTTTTTTTTTTTTTTT2TTTTTTTTTTTTTTTTTTTTTT
THHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHiHHHHHH
Hffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffff&ffff/il

The output I get is​:

panic​: reg_node overrun trying to emit 0, 7fcdf140cca8>=7fcdf140cca4
at /Users/sprout/Downloads/crash line 7.

With some variations of the above, I got malloc errors.

I didn't get these errors, but I did see some valgrind issues, which
the
attached patch resolves. Please try it out to see if it fixes your
problems.

Yes, it works for me, both with the reduced case and with the original script from this ticket. I have no idea how it works, though.

--

Father Chrysostomos

[p5pRT]

From @jkeenan

On Sat Jan 03 21​:33​:22 2015, public@​khwilliamson.com wrote​:

I didn't get these errors, but I did see some valgrind issues, which
the
attached patch resolves. Please try it out to see if it fixes your
problems.

The patch works for me as well. With it I get normal syntax errors as shown by the attachment.

Thank you very much.

--
James E Keenan (jkeenan@​cpan.org)

[p5pRT]

From @jkeenan

Bareword found where operator expected at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 21, near "HHHHHHHHHHHHHHHHHHHH"
  (Might be a runaway multi-line // string starting on line 17)
  (Missing semicolon on previous line?)
syntax error at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 11, near "printr)"
Unknown regexp modifier "/b" at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 17, at end of line
Unknown regexp modifier "/G" at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 17, at end of line
Unknown regexp modifier "/e" at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 17, at end of line
Unknown regexp modifier "/r" at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 17, at end of line
syntax error at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 21, near "HHHHHHHHHHHHHHHHHHHH"
Unrecognized character \x83; marked by <-- HERE after HHHHHHHHHH<-- HERE near column 22 at /home/jkeenan/learn/perl/p5p/noshebang-123539-crash line 21.