From John_Sargent@McAfee.com

Created by john_sargent@mcafee.com

In op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that the
memory allocated inside Perl_convert when the OP type is NOT OP_LIST is
less than the size of a LOOP structure. Consequently, if the Copy call
at line 3846 (ish) it will try to read beyond the memory allocated.

If this memory happens to be the first element in the allocated chunk,
it will be reading memory that has not been allocated at all. So, at
best it reads garbage, or as happens several times here, it crashes
with an access violation.

OP* Perl_newFOROP(...)
{
  LOOP *loop;

  <-snip->

<<<< MEMORY ALLOCATED IN CONVERT HERE IS NOT BIG ENOUGH FOR A LOOP
STRUCT

  loop = (LOOP*)list(convert(OP_ENTERITER, iterflags,
  append_elem(OP_LIST, expr, scalar(sv))));
  assert(!loop->op_next);

  <-snip->

  LOOP *tmp;
  NewOp(1234,tmp,1,LOOP);
  Copy(loop,tmp,1,LOOP); <<<<< ACCESS VIOLATION
  FreeOp(loop);
  loop= tmp;

  <-snip->

Flags:
    category=core
    severity=critical

Site configuration information for perl v5.8.0:

Configured by bhcompile at Tue Feb 18 22:17:47 EST 2003.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.4.20-2.48smp,
archname=i386-linux-thread-multi
    uname='linux stripples.devel.redhat.com 2.4.20-2.48smp #1 smp thu
feb 13 11:44:55 est 2003 i686 i686 i386 gnulinux '
    config_args='-des -Doptimize=-O2 -march=i386 -mcpu=i686 -g
-Dmyhostname=localhost -Dperladmin=root@localhost -Dcc=gcc -Dcf_by=Red
Hat, Inc. -Dinstallprefix=/usr -Dprefix=/usr -Darchname=i386-linux
-Dvendorprefix=/usr -Dsiteprefix=/usr
-Dotherlibdirs=/usr/lib/perl5/5.8.0 -Duseshrplib -Dusethreads
-Duseithreads -Duselargefiles -Dd_dosuid -Dd_semctl_semun -Di_db
-Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio
-Dinstallusrbinperl -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less
-isr'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define
usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS
-DDEBUGGING -fno-strict-aliasing -I/usr/local/include
-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
    optimize='-O2 -march=i386 -mcpu=i686 -g',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING
-fno-strict-aliasing -I/usr/local/include -I/usr/include/gdbm'
    ccversion='', gccversion='3.2.2 20030213 (Red Hat Linux 8.0
3.2.2-1)', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lgdbm -ldb -ldl -lm -lpthread -lc -lcrypt -lutil
    perllibs=-lnsl -ldl -lm -lpthread -lc -lcrypt -lutil
    libc=/lib/libc-2.3.1.so, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version='2.3.1'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic
-Wl,-rpath,/usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE'
    cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    MAINT18379


@INC for perl v5.8.0:
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/5.8.0
    /usr/lib/perl5/site_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/site_perl/5.8.0
    /usr/lib/perl5/site_perl
    /usr/lib/perl5/vendor_perl/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/vendor_perl/5.8.0
    /usr/lib/perl5/vendor_perl
    /usr/lib/perl5/5.8.0/i386-linux-thread-multi
    /usr/lib/perl5/5.8.0
    .


Environment for perl v5.8.0:
    HOME=/home/jsargent
    LANG=C
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/home/jsargent/bin
    PERL_BADLANG (unset)
    SHELL=/bin/bash

From @rgs

Sargent, John wrote​:

In op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that the
memory allocated inside Perl_convert when the OP type is NOT OP_LIST is

I can't figure out a case where this wouldn't be a list op.
Have you code to reproduce this ?

less than the size of a LOOP structure. Consequently, if the Copy call
at line 3846 (ish) it will try to read beyond the memory allocated.

If this memory happens to be the first element in the allocated chunk,
it will be reading memory that has not been allocated at all. So, at
best it reads garbage, or as happens several times here, it crashes
with an access violation.

OP* Perl_newFOROP(...)
{
LOOP *loop;

\<\-snip\->

<<<< MEMORY ALLOCATED IN CONVERT HERE IS NOT BIG ENOUGH FOR A LOOP
STRUCT

loop = (LOOP*)list(convert(OP_ENTERITER, iterflags,
append_elem(OP_LIST, expr, scalar(sv))));

The RT System itself - Status changed from 'new' to 'open'

From John_Sargent@McAfee.com

If scalar(sv) is null (not sure why it would be off hand), and expr is
not
a list type, append will just return the expr object, which is not of
type
OP_LIST. Perl_convert will then return a new LISTOP.

The crash is because the code casts a LISTOP to a LOOP which is bigger
as Copy
takes the expected type as an argument, and assumes the data size from
that
rather than the actual size of the data.

-----Original Message-----
From​: Rafael Garcia-Suarez via RT [mailto​:perlbug-followup@​perl.org]
Sent​: 16 March 2005 12​:02
To​: Sargent, John
Subject​: Re​: [perl #34450] Coding defect in Perl_newFOROP causing Access
Violation

Sargent, John wrote​:

In op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that the
memory allocated inside Perl_convert when the OP type is NOT OP_LIST
is

I can't figure out a case where this wouldn't be a list op.
Have you code to reproduce this ?

less than the size of a LOOP structure. Consequently, if the Copy call
at line 3846 (ish) it will try to read beyond the memory allocated.

If this memory happens to be the first element in the allocated chunk,
it will be reading memory that has not been allocated at all. So, at
best it reads garbage, or as happens several times here, it crashes
with an access violation.

OP* Perl_newFOROP(...)
{
LOOP *loop;

\<\-snip\->

<<<< MEMORY ALLOCATED IN CONVERT HERE IS NOT BIG ENOUGH FOR A LOOP
STRUCT

loop = (LOOP*)list(convert(OP_ENTERITER, iterflags,
append_elem(OP_LIST, expr, scalar(sv))));

From spenlow@exchange.microsoft.com

This is a bug report for perl from spenlow@​microsoft.com,
generated with the help of perlbug 1.34 running under perl v5.8.3.

With version 809 of ActiveState Perl for Win32 I am
intermittently encountering a crash at this callstack (I can
also repro this with build 808)​:

MSVCRT!memcpy+0x33
perl58!Perl_newFOROP+0x1da [..\op.c @​ 3846]
perl58!Perl_yyparse+0x4d6 [perly.y @​ 264]
perl58!S_parse_body+0x9e7 [..\perl.c @​ 1701]
perl58!perl_parse+0x289 [..\perl.c @​ 1213]
perl58!RunPerl+0x77 [perllib.c @​ 195]
perl!main+0x12 [perlmain.c @​ 17]

Perl appears to be parsing a foreach statement. While it's doing
that it copies from one data structure to another and it reads
past the end of the block. The block is allocated here​:

MSVCRT!malloc+0x74
perl58!VMem​::Malloc+0x14 [vmem.h @​ 164]
perl58!CPerlHost​::MallocShared+0x1d [perlhost.h @​ 82]
perl58!PerlMemSharedMalloc+0x10 [perlhost.h @​ 346]
perl58!Perl_Slab_Alloc+0x28 [..\op.c @​ 44]
perl58!Perl_newLISTOP+0x15 [..\op.c @​ 2204]
perl58!Perl_append_elem+0x5b [..\op.c @​ 2112]
perl58!Perl_newFOROP+0x1a4 [..\op.c @​ 3837]
perl58!Perl_yyparse+0x4d6 [perly.y @​ 264]
perl58!S_parse_body+0x9e7 [..\perl.c @​ 1701]
perl58!perl_parse+0x289 [..\perl.c @​ 1213]
perl58!RunPerl+0x77 [perllib.c @​ 195]
perl!main+0x12 [perlmain.c @​ 17]

The block appears to be 0x200C in length.

This problem occurs intermittently on many different machines.
I was able to get a 100% repro situation by creating a lot of
environment variables. My hunch is that this causes more
memory to be used in the heap, such that this allocation of
0x200C is aligned at the end of the page. Then when perl reads
past the end, it crashes.

My hunch of the problem is that Perl_Slab_Alloc, VMem​::Malloc,
CPerlHost​::MallocShared, or PerlMemSharedMalloc is doing some
math to round-up/down or add a header/trailer and the math
isn't always correct.

This bug is very bad because it is intermittent and hard to
repro. i.e. I have a machine in my office with a script that
can repro this, but at the moment I can't distribute the script
and even if I did, you would probably have problems reproing
the issue (i.e. I had to work for a few hours to get my machine
in a state where I could repro the issue).

I would be happy to talk to anyone about this issue or answer
any questions.

Thank you,

Spencer Low
spencer@​microsoft.com
JAPH ;-)

Flags​:
  category=core
  severity=high

Site configuration information for perl v5.8.3​:

Configured by ActiveState at Tue Feb 3 00​:28​:38 2004.

Summary of my perl5 (revision 5 version 8 subversion 3) configuration​:
  Platform​:
  osname=MSWin32, osvers=4.0, archname=MSWin32-x86-multi-thread
  uname=''
  config_args='undef'
  hint=recommended, useposix=true, d_sigaction=undef
  usethreads=undef use5005threads=undef useithreads=define
usemultiplicity=define
  useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
  use64bitint=undef use64bitall=undef uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cl', ccflags ='-nologo -Gf -W3 -MD -Zi -DNDEBUG -O1 -DWIN32
-D_CONSOLE -DNO_STRICT -DHAVE_DES_FCRYPT -DNO_HASH_SEED
-DPERL_IMPLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO
-DPERL_MSVCRT_READFIX',
  optimize='-MD -Zi -DNDEBUG -O1',
  cppflags='-DWIN32'
  ccversion='', gccversion='', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
  d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=10
  ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='__int64',
lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='link', ldflags ='-nologo -nodefaultlib -debug -opt​:ref,icf
-libpath​:"C​:\Perl\lib\CORE" -machine​:x86'
  libpth=C​:\PROGRA1\MICROS3\VC98\lib
  libs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib
netapi32.lib uuid.lib wsock32.lib mpr.lib winmm.lib version.lib
odbc32.lib odbccp32.lib msvcrt.lib
  perllibs= oldnames.lib kernel32.lib user32.lib gdi32.lib
winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib
oleaut32.lib netapi32.lib uuid.lib wsock32.lib mpr.lib winmm.lib
version.lib odbc32.lib odbccp32.lib msvcrt.lib
  libc=msvcrt.lib, so=dll, useshrplib=yes, libperl=perl58.lib
  gnulibc_version='undef'
  Dynamic Linking​:
  dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
  cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug
-opt​:ref,icf -libpath​:"C​:\Perl\lib\CORE" -machine​:x86'

Locally applied patches​:
  ACTIVEPERL_LOCAL_PATCHES_ENTRY
  22218 Remove the caveat about detached threads crashing on Windows
  22201 Avoid threads+win32 crash by freeing Perl interpreter slightly
later
  22169 Display 'out of memeory' errors using low-level I/O
  22159 Upgrade to Time​::Hires 1.55
  22120 Make 'Configure -Dcf_by=...' work
  22051 Upgrade to Time​::HiRes 1.54
  21540 Fix backward-compatibility issues in if.pm

@​INC for perl v5.8.3​:
  E​:\sqlmain\tools\winsdk\tools\perllib
  E​:\sqlmain\tools\winsdk\tools\perl\site\lib
  E​:\sqlmain\tools\winsdk\tools\perl\lib
  E​:/sqlmain/tools/winsdk/tools/perl/lib
  E​:/sqlmain/tools/winsdk/tools/perl/site/lib
  .

Environment for perl v5.8.3​:
  HOME (unset)
  LANG (unset)
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)

PATH=E​:\sqlmain\tools\winsdk\tools\perl\bin;C​:\WINDOWS\system32;C​:\WINDO
WS;C​:\WINDOWS\system32\WBEM;E​:\tools;C​:\Program Files\Support
Tools\;D​:\Debuggers;

PERL5LIB=E​:\sqlmain\tools\winsdk\tools\perllib;E​:\sqlmain\tools\winsdk\t
ools\perl\site\lib;E​:\sqlmain\tools\winsdk\tools\perl\lib
  PERL_BADLANG (unset)
  SHELL (unset)

From @gsar

On 25 Mar 2005 07​:54​:22 GMT, "Spencer Low" wrote​:

# New Ticket Created by "Spencer Low"
# Please include the string​: [perl #34568]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34568 >

This appears to have been previously reported as bug 34450​:

  http​://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339.html
  https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34450

Some more history​: the buggy code has been around for a long time,
but was only enabled if PL_OP_SLAB_ALLOC was #defined. It got
enabled by default for PERL_IMPLICIT_SYS builds in change 14284,
which shipped beginning with 5.8.0.

With version 809 of ActiveState Perl for Win32 I am
intermittently encountering a crash at this callstack (I can
also repro this with build 808)​:

MSVCRT!memcpy+0x33
perl58!Perl_newFOROP+0x1da [..\op.c @​ 3846]
perl58!Perl_yyparse+0x4d6 [perly.y @​ 264]
perl58!S_parse_body+0x9e7 [..\perl.c @​ 1701]
perl58!perl_parse+0x289 [..\perl.c @​ 1213]
perl58!RunPerl+0x77 [perllib.c @​ 195]
perl!main+0x12 [perlmain.c @​ 17]

Nice analysis. The attached patch against perl 5.8.6 might fix it.

Sarathy
gsar@​ActiveState.com

-----------------------------------8<-----------------------------------
Index: ./op.c
--- ./op.c.~1~	Fri Mar 25 10:25:09 2005
+++ ./op.c	Fri Mar 25 10:25:09 2005
@@ -3930,7 +3930,7 @@
     {
 	LOOP *tmp;
 	NewOp(1234,tmp,1,LOOP);
-	Copy(loop,tmp,1,LOOP);
+	Copy(loop,tmp,1,LISTOP);
 	FreeOp(loop);
 	loop = tmp;
     }
End of Patch.

The RT System itself - Status changed from 'new' to 'open'

From @rgarcia

On Fri, 25 Mar 2005 10​:31​:09 -0800, Gurusamy Sarathy
<gsar@​activestate.com> wrote​:

This appears to have been previously reported as bug 34450​:

http​://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339.html
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34450

But, as far as I can tell, in but 34450 PL_OP_SLAB_ALLOC isn't defined...

Some more history​: the buggy code has been around for a long time,
but was only enabled if PL_OP_SLAB_ALLOC was #defined. It got
enabled by default for PERL_IMPLICIT_SYS builds in change 14284,
which shipped beginning with 5.8.0.

With version 809 of ActiveState Perl for Win32 I am
intermittently encountering a crash at this callstack (I can
also repro this with build 808)​:

MSVCRT!memcpy+0x33
perl58!Perl_newFOROP+0x1da [..\op.c @​ 3846]
perl58!Perl_yyparse+0x4d6 [perly.y @​ 264]
perl58!S_parse_body+0x9e7 [..\perl.c @​ 1701]
perl58!perl_parse+0x289 [..\perl.c @​ 1213]
perl58!RunPerl+0x77 [perllib.c @​ 195]
perl!main+0x12 [perlmain.c @​ 17]

Nice analysis. The attached patch against perl 5.8.6 might fix it.

Sarathy
gsar@​ActiveState.com
-----------------------------------8<-----------------------------------
Index​: ./op.c
--- ./op.c.1 Fri Mar 25 10​:25​:09 2005
+++ ./op.c Fri Mar 25 10​:25​:09 2005
@​@​ -3930,7 +3930,7 @​@​
{
LOOP *tmp;
NewOp(1234,tmp,1,LOOP);
- Copy(loop,tmp,1,LOOP);
+ Copy(loop,tmp,1,LISTOP);
FreeOp(loop);
loop = tmp;
}
End of Patch.

From @gsar

On Fri, 25 Mar 2005 20​:25​:35 +0100, Rafael Garcia-Suarez wrote​:

On Fri, 25 Mar 2005 10​:31​:09 -0800, Gurusamy Sarathy
<gsar@​activestate.com> wrote​:

This appears to have been previously reported as bug 34450​:

http​://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339.ht
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34450

But, as far as I can tell, in but 34450 PL_OP_SLAB_ALLOC isn't defined...

I don't think that is possible, since the code in question is
protected by an #ifdef PL_OP_SLAB_ALLOC.

Sarathy
gsar@​ActiveState.com

From @rgarcia

On Fri, 25 Mar 2005 12​:54​:39 -0800, Gurusamy Sarathy
<gsar@​activestate.com> wrote​:

But, as far as I can tell, in but 34450 PL_OP_SLAB_ALLOC isn't defined...

I don't think that is possible, since the code in question is
protected by an #ifdef PL_OP_SLAB_ALLOC.

Yes, that's more or less what I was saying, thus wondering about the
link with 34450.
Anyway, thanks, applied to blead as #24080.

From @smpeters

[rgarciasuarez@​gmail.com - Fri Mar 25 13​:37​:04 2005]​:

On Fri, 25 Mar 2005 12​:54​:39 -0800, Gurusamy Sarathy
<gsar@​activestate.com> wrote​:

But, as far as I can tell, in but 34450 PL_OP_SLAB_ALLOC isn't
defined...

I don't think that is possible, since the code in question is
protected by an #ifdef PL_OP_SLAB_ALLOC.

Yes, that's more or less what I was saying, thus wondering about the
link with 34450.
Anyway, thanks, applied to blead as #24080.

Ticket closed as patch was applied.

@smpeters - Status changed from 'open' to 'resolved'

From spenlow@exchange.microsoft.com

Thank you for the fast reply and patch. When is the next release of
ActivePerl going to include this fix? aka, how can I get binaries with
this fix without building perl myself?

Thanks again for the fast response,

Spencer

-----Original Message-----
From​: Gurusamy Sarathy [mailto​:gsar@​ActiveState.com]
Sent​: Friday, March 25, 2005 10​:31 AM
To​: perl5-porters@​perl.org
Cc​: bugs-bitbucket@​netlabs.develooper.com; john_sargent@​mcafee.com;
Spencer Low
Subject​: Re​: [perl #34568] Perl crashes reading past the end of a heap
block while parsing foreach statement

On 25 Mar 2005 07​:54​:22 GMT, "Spencer Low" wrote​:

# New Ticket Created by "Spencer Low"
# Please include the string​: [perl #34568] # in the subject line of
all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34568 >

This appears to have been previously reported as bug 34450​:

http​://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2005-03/msg00339.
html
  https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34450

Some more history​: the buggy code has been around for a long time, but
was only enabled if PL_OP_SLAB_ALLOC was #defined. It got enabled by
default for PERL_IMPLICIT_SYS builds in change 14284, which shipped
beginning with 5.8.0.

With version 809 of ActiveState Perl for Win32 I am intermittently
encountering a crash at this callstack (I can also repro this with
build 808)​:

MSVCRT!memcpy+0x33
perl58!Perl_newFOROP+0x1da [..\op.c @​ 3846]
perl58!Perl_yyparse+0x4d6 [perly.y @​ 264]
perl58!S_parse_body+0x9e7 [..\perl.c @​ 1701]
perl58!perl_parse+0x289 [..\perl.c @​ 1213]
perl58!RunPerl+0x77 [perllib.c @​ 195]
perl!main+0x12 [perlmain.c @​ 17]

Nice analysis. The attached patch against perl 5.8.6 might fix it.

Sarathy
gsar@​ActiveState.com

-----------------------------------8<-----------------------------------
Index: ./op.c
--- ./op.c.~1~	Fri Mar 25 10:25:09 2005
+++ ./op.c	Fri Mar 25 10:25:09 2005
@@ -3930,7 +3930,7 @@
     {
 	LOOP *tmp;
 	NewOp(1234,tmp,1,LOOP);
-	Copy(loop,tmp,1,LOOP);
+	Copy(loop,tmp,1,LISTOP);
 	FreeOp(loop);
 	loop = tmp;
     }
End of Patch.

From @smpeters

[John_Sargent@​McAfee.com - Wed Mar 16 06​:02​:13 2005]​:

If scalar(sv) is null (not sure why it would be off hand), and expr is
not
a list type, append will just return the expr object, which is not of
type
OP_LIST. Perl_convert will then return a new LISTOP.

The crash is because the code casts a LISTOP to a LOOP which is bigger
as Copy
takes the expected type as an argument, and assumes the data size from
that
rather than the actual size of the data.

-----Original Message-----
From​: Rafael Garcia-Suarez via RT [mailto​:perlbug-followup@​perl.org]
Sent​: 16 March 2005 12​:02
To​: Sargent, John
Subject​: Re​: [perl #34450] Coding defect in Perl_newFOROP causing Access
Violation

Sargent, John wrote​:

In op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that the
memory allocated inside Perl_convert when the OP type is NOT OP_LIST
is

I can't figure out a case where this wouldn't be a list op.
Have you code to reproduce this ?

Let me clarify. Do you have any Perl and/or XS code that demonstrates this problem?

From @smpeters

[stmpeters - Thu Jul 14 20​:39​:33 2005]​:

[John_Sargent@​McAfee.com - Wed Mar 16 06​:02​:13 2005]​:

If scalar(sv) is null (not sure why it would be off hand), and expr
is
not
a list type, append will just return the expr object, which is not
of
type
OP_LIST. Perl_convert will then return a new LISTOP.

The crash is because the code casts a LISTOP to a LOOP which is
bigger
as Copy
takes the expected type as an argument, and assumes the data size
from
that
rather than the actual size of the data.

-----Original Message-----
From​: Rafael Garcia-Suarez via RT [mailto​:perlbug-followup@​perl.org]
Sent​: 16 March 2005 12​:02
To​: Sargent, John
Subject​: Re​: [perl #34450] Coding defect in Perl_newFOROP causing
Access
Violation

Sargent, John wrote​:

In op.c, line 3856 (ish) the cast to a LOOP* is incorrect. in that
the
memory allocated inside Perl_convert when the OP type is NOT
OP_LIST
is

I can't figure out a case where this wouldn't be a list op.
Have you code to reproduce this ?

Let me clarify. Do you have any Perl and/or XS code that demonstrates
this problem?

Without a demonstration of the problem mentioned, this ticket will be
set to stalled.

@smpeters - Status changed from 'open' to 'stalled'

From @doy

If no code can be provided to demonstrate this issue on a more recent
version of perl, this ticket can probably be closed.

The RT System itself - Status changed from 'stalled' to 'open'

From @cpansprout

On Sun Jun 24 15​:21​:47 2012, doy wrote​:

If no code can be provided to demonstrate this issue on a more recent
version of perl, this ticket can probably be closed.

It was fixed in commit bd5f3bc, so this is the same bug as #34568.

--

Father Chrysostomos

@cpansprout - Status changed from 'open' to 'resolved'