Front page | perl.perl5.porters |
Postings from January 2017
[perl #130648] regcomp.c:6195: voidS_pat_upgrade_to_utf8(RExC_state_t *const, char **, STRLEN *, int): Assertion`*(d - 1) == ')'' failed
From:
Sergey Aleynikov
Date:
January 26, 2017 10:19
Subject:
[perl #130648] regcomp.c:6195: voidS_pat_upgrade_to_utf8(RExC_state_t *const, char **, STRLEN *, int): Assertion`*(d - 1) == ')'' failed
Message ID:
rt-4.0.24-806-1485425959-1808.130648-75-0@perl.org
# New Ticket Created by Sergey Aleynikov
# Please include the string: [perl #130648]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=130648 >
This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.40 running under perl 5.25.9.
-----------------------------------------------------------------
[Please describe your issue here]
While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following 16-bytes program
hexdump -C 0042
00000000 6d 27 5c 34 30 30 28 3f 7b 3c 3c 7d 29 0a 0a 27 |m'\400(?{<<})..'|
00000010
to cause an assertion failure. It crashes on perls dating back to at
least 5.8.8, albeit with different messages. GDB info about the crash
location:
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1 0x00007f0dbddc740a in __GI_abort () at abort.c:89
#2 0x00007f0dbddbee47 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@entry=0x7f0dbf4ab3ac "*(d - 1) == ')'",
file=file@entry=0x7f0dbf4a9198 "regcomp.c", line=line@entry=6195,
function=function@entry=0x7f0dbf4b2500 <__PRETTY_FUNCTION__.16556>
"S_pat_upgrade_to_utf8") at assert.c:92
#3 0x00007f0dbddbeef2 in __GI___assert_fail (assertion=0x7f0dbf4ab3ac
"*(d - 1) == ')'", file=0x7f0dbf4a9198 "regcomp.c", line=6195,
function=0x7f0dbf4b2500 <__PRETTY_FUNCTION__.16556>
"S_pat_upgrade_to_utf8") at assert.c:101
#4 0x00007f0dbf1ec789 in S_pat_upgrade_to_utf8
(pRExC_state=0x7fff4cce2030, pat_p=0x7fff4cce1cb8,
plen_p=0x7fff4cce1cb0, num_code_blocks=1)
at regcomp.c:6195
#5 0x00007f0dbf1f1c7d in Perl_re_op_compile (patternp=0x0,
pat_count=3, expr=0x7f0dc1237bd8, eng=0x7f0dbf735540
<PL_core_reg_engine>, old_re=0x0,
is_bare_re=0x0, orig_rx_flags=0, pm_flags=0) at regcomp.c:7106
#6 0x00007f0dbf112952 in Perl_pmruntime (o=0x7f0dc1237c18,
expr=0x7f0dc1238078, repl=0x0, flags=1, floor=0) at op.c:5882
#7 0x00007f0dbf1c3ecc in Perl_yyparse (gramtype=258) at perly.y:1204
#8 0x00007f0dbf142b1a in S_parse_body (env=0x0, xsinit=0x7f0dbf0fdf98
<xs_init>) at perl.c:2376
#9 0x00007f0dbf140e7f in perl_parse (my_perl=0x7f0dc1215010,
xsinit=0x7f0dbf0fdf98 <xs_init>, argc=3, argv=0x7fff4cce2b88, env=0x0)
at perl.c:1691
#10 0x00007f0dbf0fded6 in main (argc=3, argv=0x7fff4cce2b88,
env=0x7fff4cce2ba8) at perlmain.c:121
(gdb) f 4
#4 0x00007f0dbf1ec789 in S_pat_upgrade_to_utf8
(pRExC_state=0x7fff4cce2030, pat_p=0x7fff4cce1cb8,
plen_p=0x7fff4cce1cb0, num_code_blocks=1)
at regcomp.c:6195
6195 assert(*(d - 1) == ')');
(gdb) p *(d-1)
$1 = 10 '\n'
[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
category=core
severity=medium
---
Site configuration information for perl 5.25.9:
Configured by root at Sat Jan 14 02:25:05 MSK 2017.
Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
Platform:
osname=linux
osvers=3.16.0-4-amd64
archname=x86_64-linux
uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
bincompat5005=undef
Compiler:
cc='afl-clang-fast'
ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-O0 -g -ggdb3'
cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='afl-clang-fast'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.24.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.24'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'
---
@INC for perl 5.25.9:
lib
/usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
/usr/local/lib/perl5/site_perl/5.25.9
/usr/local/lib/perl5/5.25.9/x86_64-linux
/usr/local/lib/perl5/5.25.9
---
Environment for perl 5.25.9:
HOME=/home/afl
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
PERLBREW_BASHRC_VERSION=0.78
PERLBREW_HOME=/home/afl/.perlbrew
PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
PERLBREW_PERL=perl-5.22.1
PERLBREW_ROOT=/home/afl/perlbrew
PERLBREW_VERSION=0.78
PERL_BADLANG (unset)
SHELL=/usr/bin/zsh
-
[perl #130648] regcomp.c:6195: voidS_pat_upgrade_to_utf8(RExC_state_t *const, char **, STRLEN *, int): Assertion`*(d - 1) == ')'' failed
by Sergey Aleynikov