From espinhara.net@gmail.com

Hi all.

I'm doing a fuzzing in a specific library, but I found this crash that for
now was not my primary goal. Crash file attached.

The crash was found using the afl-fuzzer (http​://lcamtuf.coredump.cx/afl)

root@​linux-base​:~/perl-5.20.2# perl -v

This is perl 5, version 20, subversion 2 (v5.20.2) built for x86_64-linux

Copyright 1987-2015, Larry Wall

Perl may be copied only under the terms of either the Artistic License or
the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http​://www.perl.org/, the Perl Home Page.

root@​linux-base​:~/perl-5.20.2#

root@​linux-base​:~/out_perl/crashes# valgrind perl id\​:000001\,sig\​:11\,src\​:
000696\,op\​:havoc\,rep\​:32
==116713== Memcheck, a memory error detector
==116713== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==116713== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright
info
==116713== Command​: perl id​:000001,sig​:11,src​:000696,op​:havoc,rep​:32
==116713==
==116713== Conditional jump or move depends on uninitialised value(s)
==116713== at 0x4FE2FC​: Perl_lex_read_space (toke.c​:1554)
==116713== by 0x4FF10C​: S_skipspace_flags (toke.c​:1962)
==116713== by 0x5215B0​: S_scan_pat (toke.c​:9714)
==116713== by 0x58B958​: Perl_yylex (toke.c​:8232)
==116713== by 0x5945D4​: Perl_yyparse (perly.c​:343)
==116713== by 0x4C38F8​: S_parse_body (perl.c​:2298)
==116713== by 0x4C38F8​: perl_parse (perl.c​:1607)
==116713== by 0x425607​: main (perlmain.c​:112)
==116713==
==116713== Invalid read of size 1
==116713== at 0x4FE2F4​: Perl_lex_read_space (toke.c​:1553)
==116713== by 0x4FF10C​: S_skipspace_flags (toke.c​:1962)
==116713== by 0x5215B0​: S_scan_pat (toke.c​:9714)
==116713== by 0x58B958​: Perl_yylex (toke.c​:8232)
==116713== by 0x5945D4​: Perl_yyparse (perly.c​:343)
==116713== by 0x4C38F8​: S_parse_body (perl.c​:2298)
==116713== by 0x4C38F8​: perl_parse (perl.c​:1607)
==116713== by 0x425607​: main (perlmain.c​:112)
==116713== Address 0x5d5f418 is 0 bytes after a block of size 104 alloc'd
==116713== at 0x4C2AF2E​: realloc (vg_replace_malloc.c​:692)
==116713== by 0x679DF8​: Perl_safesysrealloc (util.c​:244)
==116713== by 0x773A8E​: Perl_sv_grow (sv.c​:1590)
==116713== by 0x7B3AC3​: Perl_sv_gets (sv.c​:8374)
==116713== by 0x4FD5FF​: S_filter_gets (toke.c​:4429)
==116713== by 0x4FD5FF​: Perl_lex_next_chunk (toke.c​:1344)
==116713== by 0x5395EF​: Perl_yylex (toke.c​:5304)
==116713== by 0x5945D4​: Perl_yyparse (perly.c​:343)
==116713== by 0x4C38F8​: S_parse_body (perl.c​:2298)
==116713== by 0x4C38F8​: perl_parse (perl.c​:1607)
==116713== by 0x425607​: main (perlmain.c​:112)
==116713==
==116713==
==116713== Process terminating with default action of signal 11 (SIGSEGV)
==116713== Access not within mapped region at address 0x6135000
==116713== at 0x4FE2F4​: Perl_lex_read_space (toke.c​:1553)
==116713== by 0x4FF10C​: S_skipspace_flags (toke.c​:1962)
==116713== by 0x5215B0​: S_scan_pat (toke.c​:9714)
==116713== by 0x58B958​: Perl_yylex (toke.c​:8232)
==116713== by 0x5945D4​: Perl_yyparse (perly.c​:343)
==116713== by 0x4C38F8​: S_parse_body (perl.c​:2298)
==116713== by 0x4C38F8​: perl_parse (perl.c​:1607)
==116713== by 0x425607​: main (perlmain.c​:112)
==116713== If you believe this happened as a result of a stack
==116713== overflow in your program's main thread (unlikely but
==116713== possible), you can try to increase the size of the
==116713== main thread stack using the --main-stacksize= flag.
==116713== The main thread stack size used in this run was 8388608.
==116713==
==116713== HEAP SUMMARY​:
==116713== in use at exit​: 112,747 bytes in 567 blocks
==116713== total heap usage​: 648 allocs, 81 frees, 129,096 bytes allocated
==116713==
==116713== LEAK SUMMARY​:
==116713== definitely lost​: 200 bytes in 1 blocks
==116713== indirectly lost​: 562 bytes in 23 blocks
==116713== possibly lost​: 0 bytes in 0 blocks
==116713== still reachable​: 111,985 bytes in 543 blocks
==116713== suppressed​: 0 bytes in 0 blocks
==116713== Rerun with --leak-check=full to see details of leaked memory
==116713==
==116713== For counts of detected and suppressed errors, rerun with​: -v
==116713== Use --track-origins=yes to see where uninitialised values come
from
==116713== ERROR SUMMARY​: 4021229 errors from 2 contexts (suppressed​: 0
from 0)
Segmentation fault
root@​linux-base​:~/out_perl/crashes#

gdb-peda$ r < id​:000001,sig​:11,src​:000696,op​:havoc,rep​:32
Starting program​: /usr/local/bin/perl < id​:000001,sig​:11,src​:000696,
op​:havoc,rep​:32

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers----------------
-------------------]
RAX​: 0x0
RBX​: 0xdbe000
RCX​: 0x3
RDX​: 0x0
RSI​: 0xdbd8b6 --> 0x7f000420202040
RDI​: 0xb51134 --> 0x6874697700656e69 ('ine')
RBP​: 0xdbd8b0 --> 0x20401020230a0a00
RSP​: 0x7fffffffe1c0 --> 0x0
RIP​: 0x4fe2f4 (<Perl_lex_read_space+1172>​: movzx r8d,BYTE PTR [rbx])
R8 : 0x0
R9 : 0xdba250 --> 0x0
R10​: 0x8000
R11​: 0xdb3418 --> 0xdb3430 --> 0xdb3448 --> 0xdb3460 --> 0xdb3478 -->
0xdb3490 --> 0xdb34a8 --> 0xdb34c0 --> 0xdb34d8 --> 0xdb34f0 --> 0xdb3508
--> 0xdb3520 --> 0xdb3538 --> 0xdb3550 --> 0xdb3568 --> 0xdb3580 -->
0xdb3598 --> 0xdb35b0 --> 0xdb35c8 --> 0xdb35e0 --> 0xdb35f8 --> 0xdb3610
--> 0xdb3628 --> 0xdb3640 --> 0xdb3658 --> 0xdb3670 --> 0xdb3688 -->
0xdb36a0 --> 0xdb36b8 --> 0x0
R12​: 0x2
R13​: 0x1
R14​: 0x0
R15​: 0xdbd8b3 --> 0x420202040102023
EFLAGS​: 0x10216 (carry PARITY ADJUST zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code------------------
-------------------]
  0x4fe2e4 <Perl_lex_read_space+1156>​: lea rsp,[rsp+0x98]
  0x4fe2ec <Perl_lex_read_space+1164>​: nop DWORD PTR [rax+0x0]
  0x4fe2f0 <Perl_lex_read_space+1168>​: add rbx,0x1
=> 0x4fe2f4 <Perl_lex_read_space+1172>​: movzx r8d,BYTE PTR [rbx]
  0x4fe2f8 <Perl_lex_read_space+1176>​: cmp r8b,0xa
  0x4fe2fc <Perl_lex_read_space+1180>​: je 0x4fe450
<Perl_lex_read_space+1520>
  0x4fe302 <Perl_lex_read_space+1186>​: xchg ax,ax
  0x4fe304 <Perl_lex_read_space+1188>​: lea rsp,[rsp-0x98]
[------------------------------------stack------------------
-------------------]
0000| 0x7fffffffe1c0 --> 0x0
0008| 0x7fffffffe1c8 --> 0x0
0016| 0x7fffffffe1d0 --> 0xb51e30 ("Search pattern not terminated or
ternary operator parsed as search pattern")
0024| 0x7fffffffe1d8 --> 0xdbd8b0 --> 0x20401020230a0a00
0032| 0x7fffffffe1e0 --> 0xb51237 ("msixopadlu")
0040| 0x7fffffffe1e8 --> 0x7e ('~')
0048| 0x7fffffffe1f0 --> 0x0
0056| 0x7fffffffe1f8 --> 0x4ff10d (<S_skipspace_flags+2877>​: mov
r9,QWORD PTR [rip+0x89d2c4] # 0xd9c3d8 <PL_parser>)
[-----------------------------------------------------------
-------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGSEGV
0x00000000004fe2f4 in Perl_lex_read_space (flags=0x2) at toke.c​:1553
1553 c = *++s;
gdb-peda$ bt
#0 0x00000000004fe2f4 in Perl_lex_read_space (flags=0x2) at toke.c​:1553
#1 0x00000000004ff10d in S_skipspace_flags (s=<optimized out>,
flags=<optimized out>) at toke.c​:1962
#2 0x00000000005215b1 in S_scan_pat (start=<optimized out>, type=0x1f) at
toke.c​:9714
#3 0x000000000058b959 in Perl_yylex () at toke.c​:8232
#4 0x00000000005945d5 in Perl_yyparse (gramtype=0xdba630) at perly.c​:343
#5 0x00000000004c38f9 in S_parse_body (xsinit=0x4259e0 <xs_init>, env=0x0)
at perl.c​:2298
#6 perl_parse (my_perl=<optimized out>, xsinit=xsinit@​entry=0x4259e0
<xs_init>, argc=<optimized out>, argv=<optimized out>,
  env=env@​entry=0x0) at perl.c​:1607
#7 0x0000000000425608 in main (argc=argc@​entry=0x1,
argv=argv@​entry=0x7fffffffec48,
env=0x7fffffffec58) at perlmain.c​:112
#8 0x00007ffff6efdb45 in __libc_start_main (main=0x4254a0 <main>,
argc=0x1, argv=0x7fffffffec48, init=<optimized out>,
  fini=<optimized out>, rtld_fini=<optimized out>,
stack_end=0x7fffffffec38) at libc-start.c​:287
#9 0x000000000042590b in _start ()
gdb-peda$ i r
rax 0x0 0x0
rbx 0xdbe000 0xdbe000
rcx 0x3 0x3
rdx 0x0 0x0
rsi 0xdbd8b6 0xdbd8b6
rdi 0xb51134 0xb51134
rbp 0xdbd8b0 0xdbd8b0
rsp 0x7fffffffe1c0 0x7fffffffe1c0
r8 0x0 0x0
r9 0xdba250 0xdba250
r10 0x8000 0x8000
r11 0xdb3418 0xdb3418
r12 0x2 0x2
r13 0x1 0x1
r14 0x0 0x0
r15 0xdbd8b3 0xdbd8b3
rip 0x4fe2f4 0x4fe2f4 <Perl_lex_read_space+1172>
eflags 0x10216 [ PF AF IF RF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0
gdb-peda$

Also the same file is able to cause a crash in OSx Perl => *This is perl 5,
version 18, subversion 2 (v5.18.2) built for darwin-thread-multi-2level *

Process​: perl5.18 [9650]
Path​: /usr/bin/perl5.18
Identifier​: perl5.18
Version​: 103
Code Type​: X86-64 (Native)
Parent Process​: zsh [9214]
Responsible​: iTerm [9209]
User ID​: 501

Date/Time​: 2015-07-27 19​:36​:25.843 +1000
OS Version​: Mac OS X 10.10.4 (14E46)
Report Version​: 11
Anonymous UUID​: C539E2CE-7622-B224-E584-454758FD0503

Sleep/Wake UUID​: 577DBAD8-FA8D-49DD-A2A6-46A3D909EC56

Time Awake Since Boot​: 51000 seconds
Time Since Wake​: 6400 seconds

Crashed Thread​: 0 Dispatch queue​: com.apple.main-thread

Exception Type​: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes​: KERN_INVALID_ADDRESS at 0x00007fc659600000

VM Regions Near 0x7fc659600000​:
  MALLOC_TINY 00007fc659400000-00007fc659600000 [ 2048K]
rw-/rwx SM=PRV
-->
  MALLOC_SMALL 00007fc659800000-00007fc65a800000 [ 16.0M]
rw-/rwx SM=PRV

Thread 0 Crashed​:: Dispatch queue​: com.apple.main-thread
0 libperl.dylib 0x000000010ba32550 Perl_lex_read_space +
150
1 libperl.dylib 0x000000010ba493e5 Perl_yyerror + 645
2 libperl.dylib 0x000000010ba4b3d7 Perl_yyerror + 8823
3 libperl.dylib 0x000000010ba3cb98 Perl_yylex + 38902
4 libperl.dylib 0x000000010ba4f09d Perl_yyparse + 449
5 libperl.dylib 0x000000010ba260c6 perl_parse + 7886
6 perl5.18 0x000000010ba00ccb main + 203
7 libdyld.dylib 0x00007fff87f7b5c9 start + 1

Thread 0 crashed with X86 Thread State (64-bit)​:
  rax​: 0x0000000000000000 rbx​: 0x00007fc659600000 rcx​: 0x0000000000000023
rdx​: 0x0000000000000004
  rdi​: 0x00007fc65950ad35 rsi​: 0x000000010bb23242 rbp​: 0x00007fff541fe100
rsp​: 0x00007fff541fe0d0
  r8​: 0x000000000000006c r9​: 0x00007fc659500000 r10​: 0x0000000000000030
r11​: 0x00007fc659500000
  r12​: 0x000000010bb1cd70 r13​: 0x0000000000008400 r14​: 0x00007fc65950ad30
r15​: 0x00007fc65a001400
  rip​: 0x000000010ba32550 rfl​: 0x0000000000010293 cr2​: 0x00007fc659600000

Logical CPU​: 6
Error Code​: 0x00000004
Trap Number​: 14

Binary Images​:
  0x10ba00000 - 0x10ba00fff perl5.18 (103)
<DD623CF6-275A-3BC8-BDE0-09566702484D> /usr/bin/perl5.18
  0x10ba0b000 - 0x10bb2fff7 libperl.dylib (103)
<8FC40E39-A06C-3454-8ADA-F82BBFD179F2>
/System/Library/Perl/5.18/darwin-thread-multi-2level/CORE/libperl.dylib
  0x7fff6563c000 - 0x7fff65672837 dyld (353.2.1)
<72A99D0F-0B56-3938-ABC5-67A0F33757C4> /usr/lib/dyld
  0x7fff844d4000 - 0x7fff8451aff7 libauto.dylib (186)
<A260789B-D4D8-316A-9490-254767B8A5F1> /usr/lib/libauto.dylib
  0x7fff8451b000 - 0x7fff84520ff7 libmacho.dylib (862)
<126CA2ED-DE91-308F-8881-B9DAEC3C63B6> /usr/lib/system/libmacho.dylib
  0x7fff847a5000 - 0x7fff847d0fff libc++abi.dylib (125)
<88A22A0F-87C6-3002-BFBA-AC0F2808B8B9> /usr/lib/libc++abi.dylib
  0x7fff8480f000 - 0x7fff8489bff7 libsystem_c.dylib (1044.10.1)
<86FBED7A-F2C8-3591-AD6F-486DD57E6B6A> /usr/lib/system/libsystem_c.dylib
  0x7fff851c9000 - 0x7fff851d1fff libsystem_dnssd.dylib (576.30.4)
<4EA2DEC3-77EE-3941-A703-DE6DC2056B15> /usr/lib/system/libsystem_dnssd.dylib
  0x7fff85fc2000 - 0x7fff85fdffff libsystem_kernel.dylib (2782.30.5)
<101D28C0-AF07-3B81-87BE-CA27ADED33AB>
/usr/lib/system/libsystem_kernel.dylib
  0x7fff86038000 - 0x7fff86038ff7 libunc.dylib (29)
<5676F7EA-C1DF-329F-B006-D2C3022B7D70> /usr/lib/system/libunc.dylib
  0x7fff86878000 - 0x7fff8687dfff libsystem_stats.dylib (163.30.2)
<48A9387D-5C63-3E79-979C-F675552F6FC9> /usr/lib/system/libsystem_stats.dylib
  0x7fff868f6000 - 0x7fff868f7fff libsystem_secinit.dylib (18)
<581DAD0F-6B63-3A48-B63B-917AF799ABAA>
/usr/lib/system/libsystem_secinit.dylib
  0x7fff87b94000 - 0x7fff87b9dff7 libsystem_notify.dylib (133.1.1)
<61147800-F320-3DAA-850C-BADF33855F29>
/usr/lib/system/libsystem_notify.dylib
  0x7fff87bf8000 - 0x7fff87bfefff libsystem_trace.dylib (72.20.1)
<840F5301-B55A-3078-90B9-FEFFD6CD741A> /usr/lib/system/libsystem_trace.dylib
  0x7fff87f78000 - 0x7fff87f7bff7 libdyld.dylib (353.2.1)
<78E8F33D-0C86-3DB6-A93D-B67A25BA3522> /usr/lib/system/libdyld.dylib
  0x7fff890d4000 - 0x7fff89128fff libc++.1.dylib (120)
<1B9530FD-989B-3174-BB1C-BDC159501710> /usr/lib/libc++.1.dylib
  0x7fff89129000 - 0x7fff8912bfff libsystem_sandbox.dylib (358.20.5)
<3F5E973F-C702-31AC-97BC-05F5C195683C>
/usr/lib/system/libsystem_sandbox.dylib
  0x7fff8999f000 - 0x7fff899a0fff libDiagnosticMessagesClient.dylib
(100) <2EE8E436-5CDC-34C5-9959-5BA218D507FB>
/usr/lib/libDiagnosticMessagesClient.dylib
  0x7fff89cb1000 - 0x7fff89ce1fff libsystem_m.dylib (3086.1)
<1E12AB45-6D96-36D0-A226-F24D9FB0D9D6> /usr/lib/system/libsystem_m.dylib
  0x7fff8a02f000 - 0x7fff8a02fff7 liblaunch.dylib (559.30.1)
<B1301610-D60C-3301-B254-11F066BD48A7> /usr/lib/system/liblaunch.dylib
  0x7fff8a030000 - 0x7fff8a0a9fe7 libcorecrypto.dylib (233.30.1)
<5779FFA0-4D9A-3AD4-B7F2-618227621DC8> /usr/lib/system/libcorecrypto.dylib
  0x7fff8aaf9000 - 0x7fff8aafbfff libquarantine.dylib (76.20.1)
<7AF90041-2768-378A-925A-D83161863642> /usr/lib/system/libquarantine.dylib
  0x7fff8b22e000 - 0x7fff8b232fff libcache.dylib (69)
<45E9A2E7-99C4-36B2-BEE3-0C4E11614AD1> /usr/lib/system/libcache.dylib
  0x7fff8bd22000 - 0x7fff8bd38ff7 libsystem_asl.dylib (267)
<F153AC5B-0542-356E-88C8-20A62CA704E2> /usr/lib/system/libsystem_asl.dylib
  0x7fff8c542000 - 0x7fff8c54affb libcopyfile.dylib (118.1.2)
<0C68D3A6-ACDD-3EF3-991A-CC82C32AB836> /usr/lib/system/libcopyfile.dylib
  0x7fff8c5a9000 - 0x7fff8c5abfff libsystem_configuration.dylib
(699.30.1) <B124CC64-59B9-354F-A693-B3431ADB87AC>
/usr/lib/system/libsystem_configuration.dylib
  0x7fff8c5ac000 - 0x7fff8c5b5fff libsystem_pthread.dylib (105.10.1)
<3103AA7F-3BAE-3673-9649-47FFD7E15C97>
/usr/lib/system/libsystem_pthread.dylib
  0x7fff8c607000 - 0x7fff8c623ff7 libsystem_malloc.dylib (53.30.1)
<DDA8928B-CC0D-3255-BD8A-3FEA0982B890>
/usr/lib/system/libsystem_malloc.dylib
  0x7fff8c6e0000 - 0x7fff8c6e1ffb libremovefile.dylib (35)
<3485B5F4-6CE8-3C62-8DFD-8736ED6E8531> /usr/lib/system/libremovefile.dylib
  0x7fff8c7a4000 - 0x7fff8c99e46f libobjc.A.dylib (647)
<759E155D-BC42-3D4E-869B-6F57D477177C> /usr/lib/libobjc.A.dylib
  0x7fff8fd3f000 - 0x7fff8fd40ff7 libsystem_blocks.dylib (65)
<9615D10A-FCA7-3BE4-AA1A-1B195DACE1A1>
/usr/lib/system/libsystem_blocks.dylib
  0x7fff8fd41000 - 0x7fff8fd46ff7 libunwind.dylib (35.3)
<BE7E51A0-B6EA-3A54-9CCA-9D88F683A6D6> /usr/lib/system/libunwind.dylib
  0x7fff8fe7b000 - 0x7fff8fe8cff3 libsystem_coretls.dylib (35.30.2)
<0F7BAD0C-FC28-3E4B-8D21-06B426599043>
/usr/lib/system/libsystem_coretls.dylib
  0x7fff901f1000 - 0x7fff901f8ff7 libcompiler_rt.dylib (35)
<BF8FC133-EE10-3DA6-9B90-92039E28678F> /usr/lib/system/libcompiler_rt.dylib
  0x7fff901f9000 - 0x7fff90204fff libcommonCrypto.dylib (60061.30.1)
<E789748D-F9A7-3CFF-B317-90DF348B1E95> /usr/lib/system/libcommonCrypto.dylib
  0x7fff903ca000 - 0x7fff903cbff3 libSystem.B.dylib (1213)
<AD223AEB-237D-35A3-825E-EECF95916838> /usr/lib/libSystem.B.dylib
  0x7fff91150000 - 0x7fff91150ff7 libkeymgr.dylib (28)
<77845842-DE70-3CC5-BD01-C3D14227CED5> /usr/lib/system/libkeymgr.dylib
  0x7fff917e3000 - 0x7fff9181bfff libsystem_network.dylib (412.20.3)
<6105C134-6722-3C0A-A4CE-5E1261E2E1CC>
/usr/lib/system/libsystem_network.dylib
  0x7fff91831000 - 0x7fff91837ff7 libsystem_networkextension.dylib
(167.30.1) <3E99FF35-DCBB-3A4C-8853-F1F39A792D29>
/usr/lib/system/libsystem_networkextension.dylib
  0x7fff92421000 - 0x7fff92429fff libsystem_platform.dylib (63)
<64E34079-D712-3D66-9CE2-418624A5C040>
/usr/lib/system/libsystem_platform.dylib
  0x7fff92c92000 - 0x7fff92cbafff libsystem_info.dylib (459.20.1)
<AEB3FE62-4763-3050-8352-D6F9AF961AE6> /usr/lib/system/libsystem_info.dylib
  0x7fff93302000 - 0x7fff9332afff libxpc.dylib (559.30.1)
<80D68997-17B9-32B6-A5FA-A218216415E5> /usr/lib/system/libxpc.dylib
  0x7fff937f5000 - 0x7fff9381fff7 libdispatch.dylib (442.1.4)
<502CF32B-669B-3709-8862-08188225E4F0> /usr/lib/system/libdispatch.dylib
  0x7fff93bf2000 - 0x7fff93bf4ff7 libsystem_coreservices.dylib (9)
<41B7C578-5A53-31C8-A96F-C73E030B0938>
/usr/lib/system/libsystem_coreservices.dylib

External Modification Summary​:
  Calls made by other processes targeting this process​:
  task_for_pid​: 0
  thread_create​: 0
  thread_set_state​: 0
  Calls made by this process​:
  task_for_pid​: 0
  thread_create​: 0
  thread_set_state​: 0
  Calls made by all processes on this machine​:
  task_for_pid​: 28571
  thread_create​: 0
  thread_set_state​: 278

VM Region Summary​:
ReadOnly portion of Libraries​: Total=78.0M resident=18.5M(24%)
swapped_out_or_unallocated=59.5M(76%)
Writable regions​: Total=26.4M written=1332K(5%) resident=1412K(5%)
swapped_out=0K(0%) unallocated=25.0M(95%)

REGION TYPE VIRTUAL
=========== =======
Kernel Alloc Once 4K
MALLOC 18.2M
MALLOC (admin) 16K
STACK GUARD 56.0M
Stack 8192K
VM_ALLOCATE 12K
__DATA 716K
__LINKEDIT 71.0M
__TEXT 7132K
shared memory 4K
=========== =======
TOTAL 160.9M

--
Joaquim Espinhara da Silva Neto
+55 11 99718.8819

From espinhara.net@gmail.com

id_000001,sig_11,src_000696,op_havoc,rep_32

From @tonycoz

On Mon Jul 27 02​:38​:49 2015, espinhara.net@​gmail.com wrote​:

Hi all.

I'm doing a fuzzing in a specific library, but I found this crash that for
now was not my primary goal. Crash file attached.

The crash was found using the afl-fuzzer (http​://lcamtuf.coredump.cx/afl)

It looks like this was fixed in 4963771 (v5.21.0-429-g4963771), but that patch doesn't appear to be directly applicable to maint-5.20 since it depends on the ?...? operator being removed.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Tue Sep 15 18​:25​:36 2015, tonyc wrote​:

On Mon Jul 27 02​:38​:49 2015, espinhara.net@​gmail.com wrote​:

Hi all.

I'm doing a fuzzing in a specific library, but I found this crash
that for
now was not my primary goal. Crash file attached.

The crash was found using the afl-fuzzer
(http​://lcamtuf.coredump.cx/afl)

It looks like this was fixed in
4963771 (v5.21.0-429-g4963771), but
that patch doesn't appear to be directly applicable to maint-5.20
since it depends on the ?...? operator being removed.

Here's a simpler crash case (attached)

tony@​mars​:.../git/perl$ ./perl ../125697b.pl
Segmentation fault
tony@​mars​:.../git/perl$ od -c ../125697b.pl
0000000 m \n #
0000003

which feels familiar.

Tony

From @tonycoz

125697b.pl

From @tonycoz

On Tue, 15 Sep 2015 18​:25​:36 -0700, tonyc wrote​:

It looks like this was fixed in
4963771 (v5.21.0-429-g4963771), but
that patch doesn't appear to be directly applicable to maint-5.20
since it depends on the ?...? operator being removed.

This is fixed in both supported releases, so closing.

Tony

@tonycoz - Status changed from 'open' to 'resolved'