Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upConditional jump depends on uninitialized values in S_scan_heredoc #15582
Comments
This comment has been minimized.
This comment has been minimized.
From @dcollinsn$ perl -e 'print "<<`\\"' | valgrind ../bin/perl I'll also include a disassemble, to highlight that this is happening in some SSE type instructions: dcollins@nightshade64:/usr/local/perl-afl/out$ LD_PRELOAD=/home/dcollins/toolcha in/afl-2.32b/libdislocator/libdislocator.so gdb --args ../bin/perl allcrash/f1i0 00000 I'll poke at it when I'm less starving to see whether it's dependent on a certain -O level. This appears to be unrelated to the previous crashes in this function, namely 123712, 126815, 125540, because all of those have been fixed ;) Here's my perl: Summary of my perl5 (revision 5 version 25 subversion 5) configuration: Characteristics of this binary (from libperl): -- |
This comment has been minimized.
This comment has been minimized.
From @geeknikI believe I already reported this to the security queue. On Friday, September 2, 2016, Dan Collins <perlbug-followup@perl.org> wrote:
|
This comment has been minimized.
This comment has been minimized.
The RT System itself - Status changed from 'new' to 'open' |
This comment has been minimized.
This comment has been minimized.
From @cpansproutOn Fri Sep 02 13:38:21 2016, dcollinsn@gmail.com wrote:
Wrong error message. delimcpy (used to find the end of the `\... after <<) is going one byte past the end of the buffer passed to it, because the trailing null is ‘escaped’ with a backslash. delimcpy needs fixing. scan_heredoc perfectly reasonably croaks only if s==PL_bufend, since if s<PL_bufend the terminating ` was found. In this case s>PL_bufend, which would not happen with a properly functioning delimcpy. -- Father Chrysostomos |
This comment has been minimized.
This comment has been minimized.
From @iabynOn Fri, Sep 02, 2016 at 10:31:37PM -0700, Father Chrysostomos via RT wrote:
Note that I already have a fix worked up for this; I can't apply it yet -- |
This comment has been minimized.
This comment has been minimized.
From @cpansproutOn Mon Sep 05 06:13:44 2016, davem wrote:
It doesn’t conflict with ba0a415, does it? -- Father Chrysostomos |
This comment has been minimized.
This comment has been minimized.
From @iabynOn Mon, Sep 05, 2016 at 06:41:12AM -0700, Father Chrysostomos via RT wrote:
Almost certainly :-) -- |
This comment has been minimized.
This comment has been minimized.
From @cpansproutOn Mon Sep 05 07:45:59 2016, davem wrote:
Let me guess, it’s probably something like: - if (allow_escape && *from == '\\') { -- Father Chrysostomos |
This comment has been minimized.
This comment has been minimized.
From @iabynOn Mon, Sep 05, 2016 at 09:36:54AM -0700, Father Chrysostomos via RT wrote:
might be ;-) (plus tests of course) -- |
This comment has been minimized.
This comment has been minimized.
From @iabynOn Tue, Sep 06, 2016 at 08:37:46AM +0100, Dave Mitchell wrote:
Now fixed with 19e1655. I took the liberty of also doing this: commit 31ee10f rename S_delimcpy() to S_delimcpy_intern() -- |
This comment has been minimized.
This comment has been minimized.
@iabyn - Status changed from 'open' to 'pending release' |
This comment has been minimized.
This comment has been minimized.
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
This comment has been minimized.
This comment has been minimized.
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129176 (status was 'resolved')
Searchable as RT129176$