-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
heap-buffer-overflow Perl_sv_vcatpvfn_flags (sv.c:12912) #15599
Comments
From @geeknikThe attached test case triggers a heap-use-after-free in Perl_yylex od -tx1 test16 ================================================================= 0x60200000e276 is located 6 bytes inside of 10-byte region previously allocated by thread T0 here: SUMMARY: AddressSanitizer: heap-use-after-free /root/perl/toke.c:4880 |
From @geeknikThe attached test case triggers a heap-buffer-overflow in od -tx1 test17 ==21100==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400000a40e is located 2 bytes to the left of 48-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy |
From @hvdsA shorter test case (failure indicated by "column -1"): % perl -le 'print "stat t\$#\x{10}"' | ./miniperl This is a lexer issue that I do not have sufficient knowledge to fix: at the point toke.c:4910 wants to report that \x{10} is an unrecognized character, PL_linestart is already pointing at the following line. This was advanced by S_intuit_method calling skipspace() at the '#' after seeing the '$', which skipspace then treated as a comment. I don't think this is likely to be a security concern. Hugo |
The RT System itself - Status changed from 'new' to 'open' |
From @hvdsI think this has the same root cause as #129274, just taking a different route after the call to skipspace() from intuit_method(). Hugo |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Wed, 05 Oct 2016 06:04:14 -0700, hv wrote:
I agree, so I've move the ticket to the public queue. Treating the # immediately following the $ as a comment in I don't think this fixes the base issue though - I'm not sure Tony |
From @tonycoz0001-perl-129274-avoid-treating-the-in-as-a-comment-intro.patchFrom e30a508ca4fb9d4cd2164e495ea9f76420d6dae4 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 30 Nov 2016 15:28:16 +1100
Subject: (perl #129274) avoid treating the # in $# as a comment intro
---
toke.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/toke.c b/toke.c
index 11abf2b..2a7b374 100644
--- a/toke.c
+++ b/toke.c
@@ -4092,7 +4092,9 @@ S_intuit_method(pTHX_ char *start, SV *ioname, CV *cv)
if (cv || PL_last_lop_op == OP_PRINT || PL_last_lop_op == OP_SAY
|| isUPPER(*PL_tokenbuf))
return 0;
- s = skipspace(s);
+ /* this could be $# */
+ if (isSPACE(*s))
+ s = skipspace(s);
PL_bufptr = start;
PL_expect = XREF;
return *s == '(' ? FUNCMETH : METHOD;
--
2.1.4
|
From @tonycozOn Tue, 29 Nov 2016 20:31:40 -0800, tonyc wrote:
I spent some time trying to make this crash with my patch in place but couldn't manage it. I've applied my patch (with a test added) as 71776ae. Please open a new ticket if you manage to find a similar issue this commit Closing this ticket. Tony |
@tonycoz - Status changed from 'open' to 'pending release' |
From @tonycozOn Thu, 06 Oct 2016 07:17:42 -0700, hv wrote:
I agree, merging into 129274, which is public and fixed/closed. Tony |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been Perl 5.26.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#129274 (status was 'resolved')
Searchable as RT129274$
The text was updated successfully, but these errors were encountered: