Front page | perl.perl5.porters |
Postings from June 2019
On Wed, 01 May 2019 05:55:57 -0700, davem wrote:
> On Tue, Mar 19, 2019 at 11:01:08PM -0700, Tony Cook via RT wrote:
> > On Fri, 08 Mar 2019 15:36:30 -0800, randir wrote:
> > > While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
> > > under libdislocator, I found the following program
> > >
> > > printf q)%7000000000E)=>
> > >
> > > to cause an assertion failure
> > >
> > > perl: sv.c:13127: Perl_sv_vcatpvfn_flags: Assertion `elen >= width'
> > > failed.
> > The bug causing this is this code:
> >
> > if (width) {
> > base = width;
> > do { *--ptr = '0' + (base % 10); } while (base /= 10);
> > }
> >
> > since base is an int, the very large 7000000000 becomes a largish
> > negative
> > number breaking the formatting of the width.
> >
> > But fixing that reveals a different issue.
> >
> > The return type of v?snprintf() is int, so such a large result can't
> > be reported
> > by v?snprintf() anyway.
> >
> > So fail earlier than this by checking the expected width fits in an
> > int.
>
> Your suggested patch looks good to me.
Applied in 027471cf1095f75f273df40310e4647fe1e8a9df.
Thanks for the report and the reminder.
Tony
---
via perlbug: queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=133913