develooper Front page | perl.perl5.porters | Postings from August 2017

[perl #131562] Multiple crash with eval

From:
Tony Cook via RT
Date:
August 23, 2017 04:19
Subject:
[perl #131562] Multiple crash with eval
Message ID:
rt-4.0.24-21653-1503461979-1091.131562-15-0@perl.org
On Tue, 13 Jun 2017 04:43:13 -0700, davem wrote:
> On Tue, Jun 13, 2017 at 01:28:29AM -0700, sung wrote:
> > # New Ticket Created by  sung 
> > # Please include the string:  [perl #131562]
> > # in the subject line of all future correspondence about this issue. 
> > # <URL: https://rt.perl.org/Ticket/Display.html?id=131562 >
> > 
> > 
> > I just try hongfuzz and found some samples that triggered crash by *eval*
> > funtion.
> > Please find file attached bellow to check.
> 
> Most of these seem to be fixed in blead. With threaded, debugging perl
> builds running under valgrind, I see:
> 
>             poc1  poc2  poc3  poc4  poc5
>             ----  ----  ----  ----  ----
> perl 5.24.0 FAIL  FAIL  FAIL  FAIL  FAIL
> perl 5.26.0 FAIL  PASS  FAIL  PASS  FAIL
> bleadperl   PASS  PASS  FAIL  PASS  PASS
> 
> So it would appear that all except poc3 have been fixed.
> What perl version(s) did you see failures on?
> 
> poc3 is:
> 
>     $^P = 0xA;
>     eval qq{#line 162335469120778 "figgle"\n#line 85 "doggo"\n};
> 
> It doesn't crash with $^P (debugging flags) being set, so I doubt that it
> is a security issue.

This isn't a security issue and is now public (it is a bug).

It occurs while copying eval lines to the new @{"_<newfilename"} array from the old array.

The code takes the very large line number and converts it to an I32 producing a negative number, then passes that as the index to av_store().

The attached should fix it, I don't think a test is practical as
it would require a very large array to store lines above the 2G mark.

Tony

---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=131562



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About