Front page | perl.perl5.porters |
Postings from July 2013
Re: upcoming release of 5.18.1
Thread Previous
|
Thread Next
From:
Nicholas Clark
Date:
July 25, 2013 09:42
Subject:
Re: upcoming release of 5.18.1
Message ID:
20130725094239.GP3729@plum.flirble.org
On Wed, Jul 24, 2013 at 12:51:54AM -0400, Ricardo Signes wrote:
>
> We are due for a release of maint-5.18. This ticket is meant to list blockers:
>
> https://rt.perl.org/rt3/Ticket/Display.html?id=118437
>
> Currently, none are listed. If there are commits to nominate for backporting,
> please name them now so they can be discussed and either cherry picked or not.
Technically we should consider this commit, because it fixes a read of freed
memory, albeit in very obscure cases. However, if we go for it, we should drop
the assert() from the code, and I'm not sure how the tests stack up.
commit d8fe30adb48694ba33b463f653894093f743a8f0
Author: Nicholas Clark <nick@ccl4.org>
Date: Thu Jun 27 18:09:32 2013 +0200
Avoid read-after-free in S_scan_heredoc() if the terminator line has no "\n".
The code added by commit 112d128413206514 to fix RT #65838 (Allow here-doc
with no final newline) could in some rare cases cause a read of free()d
memory during parsing. The code itself is only run if the Perl program
ends with a heredoc (which is an unusual structure), and if the last line of
the file on disk has no terminating newline character (which is also unusual,
as many editors default to adding a final newline). The bug would be
triggered if the fixup code in S_scan_heredoc() triggered a reallocation of
the buffer in PL_linestr when adding a newline to it.
diff --git a/t/op/heredoc.t b/t/op/heredoc.t
index 08b0af2..a239e92 100644
--- a/t/op/heredoc.t
+++ b/t/op/heredoc.t
@@ -7,7 +7,7 @@ BEGIN {
}
use strict;
-plan(tests => 9);
+plan(tests => 39);
# heredoc without newline (#65838)
@@ -69,12 +69,19 @@ HEREDOC
"string terminator must start at newline"
);
- fresh_perl_like(
- "print <<;\nno more newlines",
- qr/find string terminator/,
- { switches => ['-X'] },
- "empty string terminator still needs a newline"
- );
+ # Loop over various lengths to try to force at least one to cause a
+ # reallocation in S_scan_heredoc()
+ # Timing on a modern machine suggests that this loop executes in less than
+ # 0.1s, so it's a very small cost for the default build. The benefit is
+ # that building with ASAN will reveal the bug and any related regressions.
+ for (1..31) {
+ fresh_perl_like(
+ "print <<;\n" . "x" x $_,
+ qr/find string terminator/,
+ { switches => ['-X'] },
+ "empty string terminator still needs a newline (length $_)"
+ );
+ }
fresh_perl_like(
"print <<ThisTerminatorIsLongerThanTheData;\nno more newlines",
diff --git a/toke.c b/toke.c
index 2ab2a71..1781899 100644
--- a/toke.c
+++ b/toke.c
@@ -10172,8 +10172,11 @@ S_scan_heredoc(pTHX_ char *s)
}
CopLINE_set(PL_curcop, (line_t)PL_multi_start - 1);
if (!SvCUR(PL_linestr) || PL_bufend[-1] != '\n') {
- lex_grow_linestr(SvCUR(PL_linestr) + 2);
+ s = lex_grow_linestr(SvLEN(PL_linestr) + 3);
+ /* ^That should be enough to avoid this needing to grow: */
sv_catpvs(PL_linestr, "\n\0");
+ assert(s == SvPVX(PL_linestr));
+ PL_bufend = SvEND(PL_linestr);
}
s = PL_bufptr;
#ifdef PERL_MAD
Nicholas Clark
Thread Previous
|
Thread Next