develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123710] Segmentation fault in Perl_sv_setpvn()

Thread Previous
From:
Vladimir Lettiev
Date:
February 1, 2015 21:11
Subject:
[perl #123710] Segmentation fault in Perl_sv_setpvn()
Message ID:
rt-4.0.18-2535-1422825062-109.123710-75-0@perl.org
# New Ticket Created by  Vladimir Lettiev 
# Please include the string:  [perl #123710]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123710 >


Simple test case produced sigsegv:

    $ perl -e '$x|=*x=0'

(gdb) bt
#0  Perl_sv_setpvn (sv=0xe59e10, ptr=0xbe35e9 "", len=0) at sv.c:4915
#1  0x000000000097df87 in Perl_do_vop (optype=94, sv=0xe59e10, left=0xe59e10, right=0xe59df8) at doop.c:1022
#2  0x00000000008478b9 in Perl_pp_bit_or () at pp.c:2257
#3  0x000000000077382b in Perl_runops_standard () at run.c:41
#4  0x00000000004e5e1f in S_run_body (oldscope=1) at perl.c:2423
#5  perl_run (my_perl=<optimized out>) at perl.c:2346
#6  0x0000000000426c7c in main (argc=3, argv=0x7fffffffe488, env=0x7fffffffe4a8) at perlmain.c:116
#7  0x00007ffff70d4ec5 in __libc_start_main (main=0x426870 <main>, argc=3, argv=0x7fffffffe488, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478)
    at libc-start.c:287
#8  0x0000000000426cf3 in _start ()

(gdb) list
4910        }
4911        SvUPGRADE(sv, SVt_PV);
4912
4913        dptr = SvGROW(sv, len + 1);
4914        Move(ptr,dptr,len,char);
4915        dptr[len] = '\0';
4916        SvCUR_set(sv, len);
4917        (void)SvPOK_only_UTF8(sv);          /* validate pointer */
4918        SvTAINT(sv);
4919        if (SvTYPE(sv) == SVt_PVCV) CvAUTOLOAD_off(sv);


Crash reproduced with perl 5.12, 5.16, 5.18, 5.21.8
Bug was found by afl fuzzer (http://lcamtuf.coredump.cx/afl/)


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About