develooper Front page | perl.perl5.porters | Postings from October 2017

[perl #132245] heap-buffer-overflow (READ of size 1) in S_scan_const(toke.c:3060)

From:
Brian Carpenter
Date:
October 8, 2017 10:41
Subject:
[perl #132245] heap-buffer-overflow (READ of size 1) in S_scan_const(toke.c:3060)
Message ID:
rt-4.0.24-14262-1507459281-1407.132245-75-0@perl.org
# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #132245]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=132245 >


Triggered in 1195d90. Not a security concern as per Hugo in #129342 which
was marked resolved for 5.26.0.

./perl -e 'y//\N{}-0/'

==3236==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x602000000eef at pc 0x00000069952c bp 0x7ffdf060f1f0 sp 0x7ffdf060f1e8
READ of size 1 at 0x602000000eef thread T0
    #0 0x69952b in S_scan_const /root/perl/toke.c:3060:33
    #1 0x628a3c in Perl_yylex /root/perl/toke.c:5042:10
    #2 0x6c7943 in Perl_yyparse /root/perl/perly.c:340:34
    #3 0x5bb75b in S_parse_body /root/perl/perl.c:2450:9
    #4 0x5b355a in perl_parse /root/perl/perl.c:1753:2
    #5 0x505095 in main /root/perl/perlmain.c:121:18
    #6 0x7f176def882f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #7 0x435fa8 in _start (/root/perl/perl+0x435fa8)

0x602000000eef is located 1 bytes to the left of 10-byte region
[0x602000000ef0,0x602000000efa)
allocated by thread T0 here:
    #0 0x4d9013 in malloc (/root/perl/perl+0x4d9013)
    #1 0x7ee078 in Perl_safesysmalloc /root/perl/util.c:153:21
    #2 0x8e000b in Perl_sv_grow /root/perl/sv.c:1603:17
    #3 0x923227 in Perl_newSV /root/perl/sv.c:5691:2
    #4 0x68aa5c in S_scan_const /root/perl/toke.c:2877:14
    #5 0x628a3c in Perl_yylex /root/perl/toke.c:5042:10
    #6 0x6c7943 in Perl_yyparse /root/perl/perly.c:340:34
    #7 0x5bb75b in S_parse_body /root/perl/perl.c:2450:9
    #8 0x5b355a in perl_parse /root/perl/perl.c:1753:2
    #9 0x505095 in main /root/perl/perlmain.c:121:18
    #10 0x7f176def882f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow /root/perl/toke.c:3060:33
in S_scan_const



The unminimized version of this testcase results in a slightly different
stack:

./perl -e 'y/+4N{U0220}/\N{}-\N{U+400220}/\N{U+402<0}/c[rp'

==4003==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6030000006cf at pc 0x00000069914d bp 0x7ffc81e758b0 sp 0x7ffc81e758a8
READ of size 1 at 0x6030000006cf thread T0
    #0 0x69914c in Perl_utf8_hop /root/perl/./inline.h:946:13
    #1 0x69914c in S_scan_const /root/perl/toke.c:3047
    #2 0x628a3c in Perl_yylex /root/perl/toke.c:5042:10
    #3 0x6c7943 in Perl_yyparse /root/perl/perly.c:340:34
    #4 0x5bb75b in S_parse_body /root/perl/perl.c:2450:9
    #5 0x5b355a in perl_parse /root/perl/perl.c:1753:2
    #6 0x505095 in main /root/perl/perlmain.c:121:18
    #7 0x7f5d033c782f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #8 0x435fa8 in _start (/root/perl/perl+0x435fa8)

0x6030000006cf is located 1 bytes to the left of 19-byte region
[0x6030000006d0,0x6030000006e3)
allocated by thread T0 here:
    #0 0x4d9013 in malloc (/root/perl/perl+0x4d9013)
    #1 0x7ee078 in Perl_safesysmalloc /root/perl/util.c:153:21
    #2 0x8e000b in Perl_sv_grow /root/perl/sv.c:1603:17
    #3 0x923227 in Perl_newSV /root/perl/sv.c:5691:2
    #4 0x68aa5c in S_scan_const /root/perl/toke.c:2877:14
    #5 0x628a3c in Perl_yylex /root/perl/toke.c:5042:10
    #6 0x6c7943 in Perl_yyparse /root/perl/perly.c:340:34
    #7 0x5bb75b in S_parse_body /root/perl/perl.c:2450:9
    #8 0x5b355a in perl_parse /root/perl/perl.c:1753:2
    #9 0x505095 in main /root/perl/perlmain.c:121:18
    #10 0x7f5d033c782f in __libc_start_main
/build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/perl/./inline.h:946:13 in Perl_utf8_hop




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About