On Wed, 01 May 2019 05:55:57 -0700, davem wrote: > On Tue, Mar 19, 2019 at 11:01:08PM -0700, Tony Cook via RT wrote: > > On Fri, 08 Mar 2019 15:36:30 -0800, randir wrote: > > > While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run > > > under libdislocator, I found the following program > > > > > > printf q)%7000000000E)=> > > > > > > to cause an assertion failure > > > > > > perl: sv.c:13127: Perl_sv_vcatpvfn_flags: Assertion `elen >= width' > > > failed. > > The bug causing this is this code: > > > > if (width) { > > base = width; > > do { *--ptr = '0' + (base % 10); } while (base /= 10); > > } > > > > since base is an int, the very large 7000000000 becomes a largish > > negative > > number breaking the formatting of the width. > > > > But fixing that reveals a different issue. > > > > The return type of v?snprintf() is int, so such a large result can't > > be reported > > by v?snprintf() anyway. > > > > So fail earlier than this by checking the expected width fits in an > > int. > > Your suggested patch looks good to me. Applied in 027471cf1095f75f273df40310e4647fe1e8a9df. Thanks for the report and the reminder. Tony --- via perlbug: queue: perl5 status: open https://rt.perl.org/Ticket/Display.html?id=133913