Front page | perl.perl5.porters |
Postings from August 2016
On Mon, Aug 15, 2016 at 03:15:03PM -0700, Brian Carpenter wrote:
> The attached test case triggers a heap-buffer-overflow in Perl_sv_vcatpvfn_flags (sv.c:12897). This was found with AFL, ASAN and libdislocator.so and affects v5.25.4 (v5.25.3-245-g2e66fe9). Perl 5.20.2 returns an error that says `Unrecognized character \xD7; marked by <-- HERE after !@{<-- HERE near column -1 at test00 line 1.`
>
The src code contains the bytes:
@ { \327 \n
after seeing "@{" the lexer calls scan_ident(), which sees the \327 as an
ident, then calls S_skipspace_flags() to skip the spaces following the
ident. This moves the current cursor position to the \n, and since that's
a line boundary, its updates PL_linestart and PL_bufptr to point to \n
too.
When it finds that the next char isn't a '}', it does this:
/* Didn't find the closing } at the point we expected, so restore
state such that the next thing to process is the opening { and */
s = SvPVX(PL_linestr) + bracket; /* let the parser handle it */
i.e. it moves s back to the "{\317" then continues.
However, PL_linestart doesn't get reset, so later when the parser
encounters the \327 and tries to croak with "Unrecognized character %s ...",
when it prints out the section of src code in error, since s < PL_linestr,
negative string lengths and ASAN errors ensue.
I don't know the best way to fix this.
--
I before E. Except when it isn't.
Thread Previous
|
Thread Next