-
Notifications
You must be signed in to change notification settings - Fork 540
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-use-after-free Perl_do_print (doio.c:1400) #15531
Comments
From @geeknikThe attached test case named orig55 triggers a heap-use-after-free ==1757==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00001d3a8 is located 1832 bytes inside of 2048-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/doio.c:1400 When you minimize the orig55 testcase with afl-tmin, you get test55, which ==10948==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000a4f8 is located 0 bytes to the right of 40-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memmove In both cases, Perl 5.20.2 returns errors, does not crash. |
From @tonycozOn Fri Aug 19 12:21:50 2016, brian.carpenter@gmail.com wrote:
I don't think this is a security issue (but it's still a bug.) Attached a simplified version of orig55. I sort of suspect a relationship to #128996, since I don't expect tony@mars:.../perl/git$ hd -c 128997ab.pl Tony |
From @tonycoz |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Fri Aug 19 12:21:50 2016, brian.carpenter@gmail.com wrote:
I simplified this a little: tony@mars:.../perl/git$ hd -c 128997bb.pl And a little more: tony@mars:.../perl/git$ hd -c 128997bb.pl Eliminating the whitespace: 00000000 42 45 47 49 4e 7b 24 30 3d 22 22 3b 24 5e 48 3d |BEGIN{$0="";$^H=| Changes the reported error to "unknown-crash": ==29597==ERROR: AddressSanitizer: unknown-crash on address 0x60300000e605 at pc 0x89c88d bp 0x7ffe88fa4dd0 sp 0x7ffe88fa4dc8 Tony |
From @tonycozOn Fri Aug 19 12:21:50 2016, brian.carpenter@gmail.com wrote:
This appears to be fixed by 4eadd82.
But not this. Since this isn't a security issue I've moved it to the public queue. Tony |
From @tonycozOn Mon Oct 17 17:04:40 2016, tonyc wrote:
Should be fixed by the attached. Tony |
From @tonycoz0001-perl-128997-avoid-reading-beyond-the-end-of-the-line.patchFrom dbabdaa2a253dd057e8df334c336b9dc18bd0d28 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Tue, 18 Oct 2016 15:46:48 +1100
Subject: (perl #128997) avoid reading beyond the end of the line buffer
when there's a short UTF-8 character at the end.
---
t/op/lex.t | 8 +++++++-
toke.c | 17 ++++++++++++-----
2 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/t/op/lex.t b/t/op/lex.t
index db0cf3a..f3cb510 100644
--- a/t/op/lex.t
+++ b/t/op/lex.t
@@ -7,7 +7,7 @@ use warnings;
BEGIN { chdir 't' if -d 't'; require './test.pl'; }
-plan(tests => 32);
+plan(tests => 33);
{
no warnings 'deprecated';
@@ -255,3 +255,9 @@ fresh_perl_is(
{},
'[perl #128996] - use of PL_op after op is freed'
);
+fresh_perl_like(
+ qq(BEGIN{\$0="";\$^H=-hex join""=>1}""\xFF),
+ qr/Malformed UTF-8 character: \\xff \(too short; got 1 byte, need 13\) at - line 1\./,
+ {},
+ '[perl #128997] - buffer read overflow'
+);
diff --git a/toke.c b/toke.c
index d44d36a..041996f 100644
--- a/toke.c
+++ b/toke.c
@@ -4896,11 +4896,18 @@ Perl_yylex(pTHX)
}
{
SV *dsv = newSVpvs_flags("", SVs_TEMP);
- const char *c = UTF ? sv_uni_display(dsv, newSVpvn_flags(s,
- UTF8SKIP(s),
- SVs_TEMP | SVf_UTF8),
- 10, UNI_DISPLAY_ISPRINT)
- : Perl_form(aTHX_ "\\x%02X", (unsigned char)*s);
+ const char *c;
+ if (UTF) {
+ STRLEN skiplen = UTF8SKIP(s);
+ STRLEN stravail = PL_bufend - s;
+ c = sv_uni_display(dsv, newSVpvn_flags(s,
+ skiplen > stravail ? stravail : skiplen,
+ SVs_TEMP | SVf_UTF8),
+ 10, UNI_DISPLAY_ISPRINT);
+ }
+ else {
+ c = Perl_form(aTHX_ "\\x%02X", (unsigned char)*s);
+ }
len = UTF ? Perl_utf8_length(aTHX_ (U8 *) PL_linestart, (U8 *) s) : (STRLEN) (s - PL_linestart);
if (len > UNRECOGNIZED_PRECEDE_COUNT) {
d = UTF ? (char *) utf8_hop((U8 *) s, -UNRECOGNIZED_PRECEDE_COUNT) : s - UNRECOGNIZED_PRECEDE_COUNT;
--
2.1.4
|
From @tonycozOn Mon Oct 17 21:47:48 2016, tonyc wrote:
Applied as 856bb39. Since both issues are fixed, closing this ticket. Tony |
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#128997 (status was 'resolved')
Searchable as RT128997$
The text was updated successfully, but these errors were encountered: