develooper Front page | perl.perl5.porters | Postings from August 2016

Re: [perl #128951] heap-buffer-overflow in Perl_sv_vcatpvfn_flags(sv.c:12897)

Thread Previous | Thread Next
Dave Mitchell
August 16, 2016 15:43
Re: [perl #128951] heap-buffer-overflow in Perl_sv_vcatpvfn_flags(sv.c:12897)
Message ID:
On Mon, Aug 15, 2016 at 03:15:03PM -0700, Brian Carpenter wrote:
> The attached test case triggers a heap-buffer-overflow in Perl_sv_vcatpvfn_flags (sv.c:12897). This was found with AFL, ASAN and and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 returns an error that says `Unrecognized character \xD7; marked by <-- HERE after !@{<-- HERE near column -1 at test00 line 1.`

The src code contains the bytes:

    @ { \327 \n

after seeing "@{" the lexer calls scan_ident(), which sees the \327 as an
ident, then calls S_skipspace_flags() to skip the spaces following the
ident.  This moves the current cursor position to the \n, and since that's
a line boundary, its updates PL_linestart and PL_bufptr to point to \n

When it finds that the next char isn't a '}', it does this:

            /* Didn't find the closing } at the point we expected, so restore
               state such that the next thing to process is the opening { and */
	    s = SvPVX(PL_linestr) + bracket; /* let the parser handle it */

i.e. it moves s back to the "{\317" then continues.

However, PL_linestart doesn't get reset, so later when the parser
encounters the \327 and tries to croak with "Unrecognized character %s ...",
when it prints out the section of src code in error, since s < PL_linestr,
negative string lengths and ASAN errors ensue.

I don't know the best way to fix this.

I before E. Except when it isn't.

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About