heap-buffer-overflow (READ of size 1) in S_scan_const (toke.c:3060) #16189
Comments
From @geeknikTriggered in 1195d90. Not a security concern as per Hugo in #129342 which ./perl -e 'y//\N{}-0/' ==3236==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000eef is located 1 bytes to the left of 10-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/toke.c:3060:33 The unminimized version of this testcase results in a slightly different ./perl -e 'y/+4N{U0220}/\N{}-\N{U+400220}/\N{U+402<0}/c[rp' ==4003==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000006cf is located 1 bytes to the left of 19-byte region SUMMARY: AddressSanitizer: heap-buffer-overflow |
From @tonycozOn Sun, 08 Oct 2017 03:41:21 -0700, brian.carpenter@gmail.com wrote:
The first attached patch fixes this for me. The second fixes a SV leak in the same area of code. Tony |
From @tonycoz0001-perl-132245-don-t-try-to-process-a-char-range-with-n.patchFrom 92ecd10d32742cd35f6ac53c77a6c51b50db0e81 Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 19 Oct 2017 10:46:04 +1100
Subject: (perl #132245) don't try to process a char range with no preceding
char
A range like \N{}-0 eventually results in compilation failing, but
before that, get_and_check_backslash_N_name() attempts to treat
the memory before the empty output of \N{} as a character.
---
t/lib/croak/toke | 6 ++++++
toke.c | 6 +++---
2 files changed, 9 insertions(+), 3 deletions(-)
diff --git a/t/lib/croak/toke b/t/lib/croak/toke
index 87d9580..1a7468f 100644
--- a/t/lib/croak/toke
+++ b/t/lib/croak/toke
@@ -413,3 +413,9 @@ EXPECT
Illegal operator following parameter in a subroutine signature at - line 3, near "($a += 1"
syntax error at - line 3, near "($a += 1"
Execution of - aborted due to compilation errors.
+########
+# NAME tr/// range with empty \N{} at the start
+tr//\N{}-0/;
+EXPECT
+Unknown charname '' at - line 1, within string
+Execution of - aborted due to compilation errors.
diff --git a/toke.c b/toke.c
index 46dba4d..79be40c 100644
--- a/toke.c
+++ b/toke.c
@@ -2969,9 +2969,9 @@ S_scan_const(pTHX_ char *start)
/* Here, we don't think we're in a range. If the new character
* is not a hyphen; or if it is a hyphen, but it's too close to
- * either edge to indicate a range, then it's a regular
- * character. */
- if (*s != '-' || s >= send - 1 || s == start) {
+ * either edge to indicate a range, or if we haven't output any
+ * characters yet then it's a regular character. */
+ if (*s != '-' || s >= send - 1 || s == start || d == SvPVX(sv)) {
/* A regular character. Process like any other, but first
* clear any flags */
--
2.1.4
|
From @tonycoz0002-perl-132245-don-t-leak-on-N.patchFrom a24241f5473549aee40d36bedbd6a714a81a110f Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Thu, 19 Oct 2017 10:47:22 +1100
Subject: (perl #132245) don't leak on \N{}
get_and_check_backslash_N_name() failed to free its working SV if
the name was empty.
---
t/op/svleak.t | 7 ++++++-
toke.c | 1 +
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/t/op/svleak.t b/t/op/svleak.t
index e4e881d..7226dd8 100644
--- a/t/op/svleak.t
+++ b/t/op/svleak.t
@@ -15,7 +15,7 @@ BEGIN {
use Config;
-plan tests => 141;
+plan tests => 142;
# run some code N times. If the number of SVs at the end of loop N is
# greater than (N-1)*delta at the end of loop 1, we've got a leak
@@ -593,3 +593,8 @@ EOF
}
::leak(2, 0, \&named, "Perl_reg_named_buff_fetch() on no-name RE");
}
+
+{
+ sub N_leak { eval 'tr//\N{}-0/' }
+ ::leak(2, 0, \&N_leak, "a bad \\N{} in a range leaks");
+}
diff --git a/toke.c b/toke.c
index 79be40c..58a651b 100644
--- a/toke.c
+++ b/toke.c
@@ -2595,6 +2595,7 @@ S_get_and_check_backslash_N_name(pTHX_ const char* s, const char* const e)
PERL_ARGS_ASSERT_GET_AND_CHECK_BACKSLASH_N_NAME;
if (!SvCUR(res)) {
+ SvREFCNT_dec_NN(res);
/* diag_listed_as: Unknown charname '%s' */
yyerror("Unknown charname ''");
return NULL;
--
2.1.4
|
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Wed, 18 Oct 2017 16:55:37 -0700, tonyc wrote:
Applied as e8d55f2 and ebcc725. Tony |
|
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for filing this report. You have helped make Perl better. With the release yesterday of Perl 5.28.0, this and 185 other issues have been Perl 5.28.0 may be downloaded via: If you find that the problem persists, feel free to reopen this ticket. |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
p5pRT commentedOct 8, 2017
Migrated from rt.perl.org#132245 (status was 'resolved')
Searchable as RT132245$
The text was updated successfully, but these errors were encountered: