develooper Front page | perl.perl5.porters | Postings from August 2017

[perl #131904] integer overflow leads to heap overflow in perl5

From:
Tony Cook via RT
Date:
August 17, 2017 00:58
Subject:
[perl #131904] integer overflow leads to heap overflow in perl5
Message ID:
rt-4.0.24-5140-1502931503-877.131904-15-0@perl.org
On Tue, 15 Aug 2017 19:44:10 -0700, quangnh89@gmail.com wrote:
> The attached script triggers a heap-buffer-overflow Perl_sv_vcatpvfn
> (sv.c:13353:17). This was found with ASAN.
> 
> =================================================================
> ==1380==ERROR: AddressSanitizer: heap-buffer-overflow on address
> 0x602000000fa8 at pc 0x0000004c6337 bp 0x7ffc3713f3f0 sp
> 0x7ffc3713eba0
> READ of size 10 at 0x602000000fa8 thread T0
>     #0 0x4c6336 in __asan_memcpy
> /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-
> rt/lib/asan/asan_interceptors.cc:453:3
>     #1 0xd46667 in Perl_sv_vcatpvfn_flags
> /root/fuzz/perl5/perl-new/sv.c:13353:17

This is a duplicate of #131793 and is fixed by my patch there.

As with #131793 this isn't a security issue and is now public.

Tony

---
via perlbug:  queue: perl5 status: new
https://rt.perl.org/Ticket/Display.html?id=131904



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About