# New Ticket Created by Brian Carpenter # Please include the string: [perl #127956] # in the subject line of all future correspondence about this issue. # <URL: https://rt.perl.org/Ticket/Display.html?id=127956 > While fuzzing Perl v5.24.0-RC1-2-gde1d2c7 with American Fuzzy Lop, I discovered that perl -e '$0=$.^=*.=$0=0' causes a null pointer dereference and crash. This crash affects Perl v5.14.2 as well. Program received signal SIGSEGV, Segmentation fault. Perl_sv_setpvn (sv=sv@entry=0x1201948, ptr=ptr@entry=0xed4da7 "", len=len@entry=0) at sv.c:4896 4896 dptr[len] = '\0'; (gdb) bt #0 Perl_sv_setpvn (sv=sv@entry=0x1201948, ptr=ptr@entry=0xed4da7 "", len=len@entry=0) at sv.c:4896 #1 0x0000000000c2a6f3 in Perl_do_vop (optype=optype@entry=93, sv=sv@entry=0x1201948, left=left@entry=0x1201948, right=right@entry=0x1201930) at doop.c:1011 #2 0x0000000000a763a1 in Perl_pp_bit_or () at pp.c:2491 #3 0x00000000007ff5d4 in Perl_runops_debug () at dump.c:2239 #4 0x0000000000539034 in S_run_body (oldscope=1) at perl.c:2483 #5 perl_run (my_perl=<optimized out>) at perl.c:2406 #6 0x000000000042eac8 in main (argc=3, argv=0x7fffffffe658, env=0x7fffffffe678) at perlmain.c:116 (gdb) list 4891 } 4892 SvUPGRADE(sv, SVt_PV); 4893 4894 dptr = SvGROW(sv, len + 1); 4895 Move(ptr,dptr,len,char); 4896 dptr[len] = '\0'; 4897 SvCUR_set(sv, len); 4898 (void)SvPOK_only_UTF8(sv); /* validate pointer */ 4899 SvTAINT(sv); 4900 if (SvTYPE(sv) == SVt_PVCV) CvAUTOLOAD_off(sv);Thread Next