develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123712] Segmentation fault in S_scan_heredoc()

Thread Previous
From:
Vladimir Lettiev
Date:
February 1, 2015 21:26
Subject:
[perl #123712] Segmentation fault in S_scan_heredoc()
Message ID:
rt-4.0.18-9441-1422825973-1679.123712-75-0@perl.org
# New Ticket Created by  Vladimir Lettiev 
# Please include the string:  [perl #123712]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123712 >


Sigsegv testcase:

    $ echo -n '/$a[/<<' | perl
    Use of bare << to mean <<"" is deprecated at - line 1.
    zsh: done                echo -n '/$a[/<<' | 
    zsh: segmentation fault  perl

(gdb) run
Program received signal SIGSEGV, Segmentation fault.
__memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:949
949     ../sysdeps/x86_64/multiarch/memcmp-sse4.S: No such file or directory.

(gdb) bt
#0  __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S:949
#1  0x000000000058f2ce in S_scan_heredoc (s=0x0) at toke.c:9274
#2  Perl_yylex () at toke.c:5891
#3  0x00000000005bc185 in Perl_yyparse (gramtype=<optimized out>) at perly.c:322
#4  0x00000000004e2d45 in S_parse_body (xsinit=0x426dc0 <xs_init>, env=0x0) at perl.c:2273
#5  perl_parse (my_perl=<optimized out>, xsinit=0x426dc0 <xs_init>, argc=<optimized out>, 
    argv=<optimized out>, env=0x0) at perl.c:1607
#6  0x00000000004269dc in main (argc=2, argv=0x7fffffffe498, env=0x7fffffffe4b0) at perlmain.c:114
#7  0x00007ffff70d4ec5 in __libc_start_main (main=0x426870 <main>, argc=2, argv=0x7fffffffe498, 
    init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe488)
    at libc-start.c:287
#8  0x0000000000426cf3 in _start ()

(gdb) frame 1
(gdb) list
9269            }
9270            linestr = shared->ls_linestr;
9271            bufend = SvEND(linestr);
9272            d = s;
9273            while (s < bufend - len + 1 &&
9274              memNE(s,PL_tokenbuf,len) ) {
9275                if (*s++ == '\n')
9276                    ++PL_parser->herelines;
9277            }
9278            if (s >= bufend - len + 1) {

Crash reproduced with perl 5.18, 5.20, 5.21.8
Bug was found by afl fuzzer (http://lcamtuf.coredump.cx/afl/)


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About