SEGV reading through null HEK* in hv_ename_add #14512
AFL (<http://lcamtuf.coredump.cx/afl/>) finds this:
% ./miniperl -e '%0=*:=*::::=0'
The code looks similar to the glob overwriting cases in [perl #123710], but the failure mode is quite different:
Program received signal SIGSEGV, Segmentation fault.
Not sure what's supposed to be happening here - the else branch (when not aux->xhv_name_count) clearly knows when it stores existing_name to xhvnameu_names that it might be NULL, that's why our name_count is -2, so how can it be right to loop as far as xhvnameu_names in the if branch?
On Mon Feb 16 04:37:51 2015, hv wrote:
Followup to 088225f/[perl #88132]: packages ending with :
On Mon Mar 02 22:09:39 2015, sprout wrote:
Here is a clearer example, which goes back to 5.14:
$ ./miniperl -e '%0; *bar::=*foo::=0'
The %0 hash needs to be vivified beforehand, and the two globs assigned to need to be stash globs (fq names ending in ::).
The logic in hv_ename_add is wrong, and probably has been so since I wrote it.