-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow in Perl_sv_vcatpvfn_flags (sv.c:12897) #15518
Comments
From @geeknikThe attached test case triggers a heap-buffer-overflow in Perl_sv_vcatpvfn_flags (sv.c:12897). This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 returns an error that says `Unrecognized character \xD7; marked by <-- HERE after !@{<-- HERE near column -1 at test00 line 1.` ==13440==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dea8 at pc 0x0000004a9880 bp 0x7ffd00eeac90 sp 0x7ffd00eea450 0x60200000dea8 is located 8 bytes to the left of 10-byte region [0x60200000deb0,0x60200000deba) SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy |
From @iabynOn Mon, Aug 15, 2016 at 03:15:03PM -0700, Brian Carpenter wrote:
The src code contains the bytes: @ { \327 \n after seeing "@{" the lexer calls scan_ident(), which sees the \327 as an When it finds that the next char isn't a '}', it does this: /* Didn't find the closing } at the point we expected, so restore i.e. it moves s back to the "{\317" then continues. However, PL_linestart doesn't get reset, so later when the parser I don't know the best way to fix this. -- |
The RT System itself - Status changed from 'new' to 'open' |
From @cpansproutOn Tue Aug 16 08:44:17 2016, davem wrote:
This looks like fun. Do you mind if I take over? -- Father Chrysostomos |
From @iabynOn Tue, Aug 16, 2016 at 02:12:12PM -0700, Father Chrysostomos via RT wrote:
Isn't it handy that people have such differing concepts of what -- |
From @cpansproutOn Wed Aug 17 00:09:07 2016, davem wrote:
It’s practically a continuation of commit 2179133, so it was fairly easy (except for the stupid mistakes that had me wonder why I was getting fleeting crashes; I must be getting rusty). In any case, it’s now fixed by bf8a9a1. I hope the following commits make the lexer slightly easier (ahem) to comprehend. -- Father Chrysostomos |
@cpansprout - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#128951 (status was 'resolved')
Searchable as RT128951$
The text was updated successfully, but these errors were encountered: