develooper Front page | perl.perl5.porters | Postings from June 2019

[perl #133913] Assertion failure in Perl_sv_vcatpvfn_flags(sv.c:13127)

From:
Tony Cook via RT
Date:
June 3, 2019 06:17
Subject:
[perl #133913] Assertion failure in Perl_sv_vcatpvfn_flags(sv.c:13127)
Message ID:
rt-4.0.24-6995-1559542660-1866.133913-15-0@perl.org
On Wed, 01 May 2019 05:55:57 -0700, davem wrote:
> On Tue, Mar 19, 2019 at 11:01:08PM -0700, Tony Cook via RT wrote:
> > On Fri, 08 Mar 2019 15:36:30 -0800, randir wrote:
> > > While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
> > > under libdislocator, I found the following program
> > >
> > > printf q)%7000000000E)=>
> > >
> > > to cause an assertion failure
> > >
> > > perl: sv.c:13127: Perl_sv_vcatpvfn_flags: Assertion `elen >= width'
> > > failed.
> > The bug causing this is this code:
> >
> > if (width) {
> >     base = width;
> >     do { *--ptr = '0' + (base % 10); } while (base /= 10);
> > }
> >
> > since base is an int, the very large 7000000000 becomes a largish
> > negative
> > number breaking the formatting of the width.
> >
> > But fixing that reveals a different issue.
> >
> > The return type of v?snprintf() is int, so such a large result can't
> > be reported
> > by v?snprintf() anyway.
> >
> > So fail earlier than this by checking the expected width fits in an
> > int.
> 
> Your suggested patch looks good to me.

Applied in 027471cf1095f75f273df40310e4647fe1e8a9df.

Thanks for the report and the reminder.

Tony


---
via perlbug:  queue: perl5 status: open
https://rt.perl.org/Ticket/Display.html?id=133913



nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About