From @ntyni

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.39 running under perl 5.13.6.

When warnings are enabled and Data​::Dumper​::Dumper() is called with
an invalid utf8 string that still has the UTF8 flag on, esc_q_utf8()
miscounts the size of the escaped string. The result is an out of
bounds write.

% ./perl -Ilib -w -MData​::Dumper -MEncode -e 'for (1..50) { $a = "\x{fc}" . "A"x$_; Encode​::_utf8_on($a); Dumper $a }'
Malformed UTF-8 character (unexpected non-continuation byte 0x41, immediately after start byte 0xfc) in subroutine entry at lib/Data/Dumper.pm line 190.
[...]
*** glibc detected *** ./perl​: realloc()​: invalid next size​: 0x000000000126afd0 ***
======= Backtrace​: =========
/lib/libc.so.6(+0x71ad6)[0x7f66dbe0aad6]
/lib/libc.so.6(+0x776ec)[0x7f66dbe106ec]
/lib/libc.so.6(realloc+0xf0)[0x7f66dbe10a00]
./perl(Perl_safesysrealloc+0x10a)[0x52a9a5]
./perl(Perl_sv_grow+0x415)[0x59983f]
./perl(Perl_sv_insert_flags+0xd56)[0x5d19ec]
lib/auto/Data/Dumper/Dumper.so(XS_Data__Dumper_Dumpxs+0x4ae1)[0x7f66d53d1a83]
./perl(Perl_pp_entersub+0x282f)[0x5915f1]
./perl(Perl_runops_debug+0x1bf)[0x529c80]
./perl[0x45350f]
./perl(perl_run+0x164)[0x452737]
./perl(main+0xe9)[0x41db5d]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f66dbdb7c4d]
./perl[0x41d9b9]

Proposed patch attached, including a test case.

Originally reported as http​://bugs.debian.org/574156

Flags​:
  category=library
  severity=low
  module=Data​::Dumper

Site configuration information for perl 5.13.6​:

Configured by niko at Fri Nov 5 14​:02​:26 EET 2010.

Summary of my perl5 (revision 5 version 13 subversion 6) configuration​:
  Local Commit​: 93419bfa5a174f17d59db16b7ce16b8eb14b9aa8
  Ancestor​: 6d351bf
  Platform​:
  osname=linux, osvers=2.6.32-5-amd64, archname=x86_64-linux-gnu-thread-multi
  uname='linux madeleine 2.6.32-5-amd64 #1 smp sat oct 30 14​:18​:21 utc 2010 x86_64 gnulinux '
  config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.13 -Darchlib=/usr/lib/perl/5.13 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.13.6 -Dsitearch=/usr/local/lib/perl/5.13.6 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=both -Doptimize=-O0 -Dusedevel -Uuseshrplib -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O0 -g',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
  ccversion='', gccversion='4.4.5', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
  libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
  libc=/lib/libc-2.11.2.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.11.2'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O0 -g -L/usr/local/lib -fstack-protector'

Locally applied patches​:
 

@​INC for perl 5.13.6​:
  lib
  /usr/local/lib/perl/5.13.6
  /usr/local/share/perl/5.13.6
  /usr/lib/perl5
  /usr/share/perl5
  /usr/lib/perl/5.13
  /usr/share/perl/5.13
  /usr/local/share/perl
  /usr/share/perl5
  .

Environment for perl 5.13.6​:
  HOME=/home/niko
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LC_CTYPE=fi_FI.UTF-8
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/niko/bin​:/home/niko/bin​:/home/niko/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/local/games​:/usr/games​:/sbin​:/usr/sbin​:/sbin​:/usr/sbin
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

From @ntyni

From 93419bfa5a174f17d59db16b7ce16b8eb14b9aa8 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Sat, 6 Nov 2010 21:44:35 +0200
Subject: [PATCH] Fix an out of bounds write in Data-Dumper with malformed utf8 input

When warnings are enabled and Dumper() is called with an invalid utf8
string that still has the UTF8 flag on, esc_q_utf8() miscounts the size
of the escaped string.
---
 dist/Data-Dumper/Dumper.xs |    6 +++++-
 dist/Data-Dumper/t/bugs.t  |   14 +++++++++++++-
 2 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/dist/Data-Dumper/Dumper.xs b/dist/Data-Dumper/Dumper.xs
index 7845962..ce38ec0 100644
--- a/dist/Data-Dumper/Dumper.xs
+++ b/dist/Data-Dumper/Dumper.xs
@@ -142,11 +142,15 @@ esc_q_utf8(pTHX_ SV* sv, register const char *src, register STRLEN slen)
     STRLEN single_quotes = 0;
     STRLEN qq_escapables = 0;	/* " $ @ will need a \ in "" strings.  */
     STRLEN normal = 0;
+    int increment;
 
     /* this will need EBCDICification */
-    for (s = src; s < send; s += UTF8SKIP(s)) {
+    for (s = src; s < send; s += increment) {
         const UV k = utf8_to_uvchr((U8*)s, NULL);
 
+        /* check for invalid utf8 */
+        increment = (k == 0 && *s != '\0') ? 1 : UTF8SKIP(s);
+
 #ifdef EBCDIC
 	if (!isprint(k) || k > 256) {
 #else
diff --git a/dist/Data-Dumper/t/bugs.t b/dist/Data-Dumper/t/bugs.t
index 3c5d141..ceca4b9 100644
--- a/dist/Data-Dumper/t/bugs.t
+++ b/dist/Data-Dumper/t/bugs.t
@@ -12,7 +12,7 @@ BEGIN {
 }
 
 use strict;
-use Test::More tests => 6;
+use Test::More tests => 7;
 use Data::Dumper;
 
 {
@@ -85,4 +85,16 @@ Data::Dumper->Dump([*{*STDERR{IO}}]);
 ok("ok", #ok
    "empty-string glob [perl #72332]");
 
+# writing out of bounds with malformed utf8
+SKIP: {
+    eval { require Encode };
+    skip("Encode not available", 1) if $@;
+    local $^W=1;
+    local $SIG{__WARN__} = sub {};
+    my $a="\x{fc}'" x 50;
+    Encode::_utf8_on($a);
+    Dumper $a;
+    ok("ok", "no crash dumping malformed utf8 with the utf8 flag on");
+}
+
 # EOF
-- 
1.7.2.3

From @cpansprout

On Sun Nov 07 10​:37​:56 2010, ntyni@​debian.org wrote​:

When warnings are enabled and Data​::Dumper​::Dumper() is called with
an invalid utf8 string that still has the UTF8 flag on, esc_q_utf8()
miscounts the size of the escaped string. The result is an out of
bounds write.

% ./perl -Ilib -w -MData​::Dumper -MEncode -e 'for (1..50) { $a =
"\x{fc}" . "A"x$_; Encode​::_utf8_on($a); Dumper $a }'
Malformed UTF-8 character (unexpected non-continuation byte 0x41,
immediately after start byte 0xfc) in subroutine entry at
lib/Data/Dumper.pm line 190.

Proposed patch attached, including a test case.

Thank you. Applied as 7d3a730.

The RT System itself - Status changed from 'new' to 'open'

@cpansprout - Status changed from 'open' to 'resolved'