Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEGV on wraparound #14490

Closed
p5pRT opened this issue Feb 10, 2015 · 5 comments

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Feb 10, 2015

Migrated from rt.perl.org#123782 (status was 'resolved')

Searchable as RT123782$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 10, 2015

From @hvds

% miniperl -ce '/(?7777777777)/'
Segmentation fault (core dumped)
%

Found by AFL (<http​://lcamtuf.coredump.cx/afl>).

This is caused by integer wraparound on a UV to I32 conversion; will add a fix shortly.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 10, 2015

From @hvds

Now fixed with b3725d4​:

  [perl #123782] regcomp​: check for overflow on /(?123)/
 
  AFL (<http​://lcamtuf.coredump.cx/afl>) found that the UV to I32 conversion
  can evade the necessary range checks on wraparound, leading to bad reads.
 
  Check for it, and force to I32_MAX, expecting that this will usually
  yield a "Reference to nonexistent group" error.

Hugo

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 10, 2015

@hvds - Status changed from 'new' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

From @khwilliamson

Thank you for submitting this ticket.

The issue should now be resolved with the release today of Perl v5.22, which is available at http​://www.perl.org/get.html
--
Karl Williamson for the Perl 5 team

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.