Segfault in Perl_pv_escape with assert fail, do qr/NUL/ #15337
I have compiled bleadperl with the afl-gcc compiler using:
./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
And then fuzzed the resulting binary using:
AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@
After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an segfault in the perl interpreter. The testcase is the file below. On normal builds, this segfaults. On debug builds, this returns an assert fail.
dcollins@nightshade64:~$ cat f3i0
Debugging tool output is below. A git bisect was performed and reported the following:
[perl #117265] correctly handle overloaded strings
:100644 100644 d79bf44da7adb960f017908188b6b2563799066d 3988c788738312cc9dcc15e948114261e0a0ddac M doio.c
dcollins@nightshade64:~$ gdb --args ./perl/perl ./f3i0
Program received signal SIGSEGV, Segmentation fault.
dcollins@nightshade64:~$ valgrind ./perl/perl ./f3i0
dcollins@nightshade64:~$ perl/perl -V
Characteristics of this binary (from libperl):
On Wed May 18 15:26:10 2016, firstname.lastname@example.org wrote:
Some of the code added by v5.19.3-130-gc8028aa to pp_ctl.c:pp_require (now in S_require_file) uses SvPVX(sv) and SvCUR(sv) without making sure that the SV is a PV.
I believe that is the culprit.
In fact, the code in question could just use the name and len variables it already has, from stringifying the sv a few lines earlier.
(I may be wrong here. I have not even run this through gdb or done a bisect. I simply looked at the code.)
On Wed May 18 16:58:27 2016, sprout wrote:
I think these should be candidates for backporting to maint-5.24 and maint-5.22 (and maint-5.20 if we are still doing that).
Thank you for the report.
Thank you for filing this report. You have helped make Perl better.
With the release today of Perl 5.26.0, this and 210 other issues have been
Perl 5.26.0 may be downloaded via:
If you find that the problem persists, feel free to reopen this ticket.