develooper Front page | perl.perl5.porters | Postings from August 2017

[perl #131987] Heap Use After Free (READ of size 1) in Perl_yylex(toke.c:5137)

Thread Previous
From:
Brian Carpenter
Date:
August 29, 2017 05:22
Subject:
[perl #131987] Heap Use After Free (READ of size 1) in Perl_yylex(toke.c:5137)
Message ID:
rt-4.0.24-23249-1503984173-921.131987-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #131987]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=131987 >


Triggered while fuzzing Perl v5.27.2-150-g5c780defa5* on Fedora 26 x64.

./perl test079
Scalar found where operator expected at test079 line 1, near
"000000000000000$"
        (Missing operator before $?)
=================================================================
==25286==ERROR: AddressSanitizer: heap-use-after-free on address
0x606000000bd1 at pc 0x000000898f5b bp 0x7ffcfaccf670 sp 0x7ffcfaccf668
READ of size 1 at 0x606000000bd1 thread T0
    #0 0x898f5a in Perl_yylex /root/perl5/toke.c:5137:13
    #1 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #2 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #3 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #4 0x525287 in main /root/perl5/perlmain.c:121:18
    #5 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)
    #6 0x435b19 in _start (/root/perl5/perl+0x435b19)

0x606000000bd1 is located 17 bytes inside of 64-byte region
[0x606000000bc0,0x606000000c00)
freed by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x121ffb0 in Perl_sv_catpvn_flags /root/perl5/sv.c:5530:12
    #4 0x86f49e in Perl_lex_next_chunk /root/perl5/toke.c:1378:6
    #5 0x877330 in Perl_lex_read_space /root/perl5/toke.c:1587:17
    #6 0x9c797c in S_skipspace_flags /root/perl5/toke.c:1890:2
    #7 0x97c962 in Perl_yylex /root/perl5/toke.c:6215:8
    #8 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #9 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #10 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #11 0x525287 in main /root/perl5/perlmain.c:121:18
    #12 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

previously allocated by thread T0 here:
    #0 0x4eb585 in realloc (/root/perl5/perl+0x4eb585)
    #1 0xdfab74 in Perl_safesysrealloc /root/perl5/util.c:274:18
    #2 0x110561e in Perl_sv_grow /root/perl5/sv.c:1600:17
    #3 0x1295e81 in Perl_sv_gets /root/perl5/sv.c:8778:2
    #4 0x86e038 in S_filter_gets /root/perl5/toke.c:4577:17
    #5 0x86e038 in Perl_lex_next_chunk /root/perl5/toke.c:1352
    #6 0x8ad798 in Perl_yylex /root/perl5/toke.c:5288:11
    #7 0xa74f4a in Perl_yyparse /root/perl5/perly.c:340:34
    #8 0x712157 in S_parse_body /root/perl5/perl.c:2414:9
    #9 0x6fe8c5 in perl_parse /root/perl5/perl.c:1732:2
    #10 0x525287 in main /root/perl5/perlmain.c:121:18
    #11 0x7fe1ad90e4d9 in __libc_start_main (/lib64/libc.so.6+0x204d9)

SUMMARY: AddressSanitizer: heap-use-after-free /root/perl5/toke.c:5137:13
in Perl_yylex

Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About