develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123711] Segmentation fault in Perl_pp_subtract()

Thread Previous
From:
Vladimir Lettiev
Date:
February 1, 2015 21:16
Subject:
[perl #123711] Segmentation fault in Perl_pp_subtract()
Message ID:
rt-4.0.18-9439-1422825358-1585.123711-75-0@perl.org
# New Ticket Created by  Vladimir Lettiev 
# Please include the string:  [perl #123711]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123711 >


Another testcase:

    $ perl -e '0-5x-l{0}'

(gdb) run
Program received signal SIGSEGV, Segmentation fault.
0x000000000083ef0b in Perl_pp_subtract () at pp.c:1786
1786        tryAMAGICbin_MG(subtr_amg, AMGf_assign|AMGf_numeric);

(gdb) bt
#0  0x000000000083ef0b in Perl_pp_subtract () at pp.c:1786
#1  0x000000000077382b in Perl_runops_standard () at run.c:41
#2  0x00000000004e5e1f in S_run_body (oldscope=1) at perl.c:2423
#3  perl_run (my_perl=<optimized out>) at perl.c:2346
#4  0x0000000000426c7c in main (argc=3, argv=0x7fffffffe488, env=0x7fffffffe4a8) at perlmain.c:116
#5  0x00007ffff70d4ec5 in __libc_start_main (main=0x426870 <main>, argc=3, argv=0x7fffffffe488, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe478)
    at libc-start.c:287
#6  0x0000000000426cf3 in _start ()

(gdb) list
1781    }
1782
1783    PP(pp_subtract)
1784    {
1785        dSP; dATARGET; bool useleft; SV *svl, *svr;
1786        tryAMAGICbin_MG(subtr_amg, AMGf_assign|AMGf_numeric);
1787        svr = TOPs;
1788        svl = TOPm1s;
1789        useleft = USE_LEFT(svl);
1790    #ifdef PERL_PRESERVE_IVUV

Crash reproduced with perl 5.12, 5.16, 5.18, 5.21.8
Bug was found by afl fuzzer (http://lcamtuf.coredump.cx/afl/)


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About