New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash in Data-Dumper with invalid utf8 input #10803
Comments
From @ntyniThis is a bug report for perl from Niko Tyni <ntyni@debian.org>, When warnings are enabled and Data::Dumper::Dumper() is called with % ./perl -Ilib -w -MData::Dumper -MEncode -e 'for (1..50) { $a = "\x{fc}" . "A"x$_; Encode::_utf8_on($a); Dumper $a }' Proposed patch attached, including a test case. Originally reported as http://bugs.debian.org/574156 Flags: Site configuration information for perl 5.13.6: Configured by niko at Fri Nov 5 14:02:26 EET 2010. Summary of my perl5 (revision 5 version 13 subversion 6) configuration: Locally applied patches: @INC for perl 5.13.6: Environment for perl 5.13.6: |
From @ntyni0001-Fix-an-out-of-bounds-write-in-Data-Dumper-with-malfo.patchFrom 93419bfa5a174f17d59db16b7ce16b8eb14b9aa8 Mon Sep 17 00:00:00 2001
From: Niko Tyni <ntyni@debian.org>
Date: Sat, 6 Nov 2010 21:44:35 +0200
Subject: [PATCH] Fix an out of bounds write in Data-Dumper with malformed utf8 input
When warnings are enabled and Dumper() is called with an invalid utf8
string that still has the UTF8 flag on, esc_q_utf8() miscounts the size
of the escaped string.
---
dist/Data-Dumper/Dumper.xs | 6 +++++-
dist/Data-Dumper/t/bugs.t | 14 +++++++++++++-
2 files changed, 18 insertions(+), 2 deletions(-)
diff --git a/dist/Data-Dumper/Dumper.xs b/dist/Data-Dumper/Dumper.xs
index 7845962..ce38ec0 100644
--- a/dist/Data-Dumper/Dumper.xs
+++ b/dist/Data-Dumper/Dumper.xs
@@ -142,11 +142,15 @@ esc_q_utf8(pTHX_ SV* sv, register const char *src, register STRLEN slen)
STRLEN single_quotes = 0;
STRLEN qq_escapables = 0; /* " $ @ will need a \ in "" strings. */
STRLEN normal = 0;
+ int increment;
/* this will need EBCDICification */
- for (s = src; s < send; s += UTF8SKIP(s)) {
+ for (s = src; s < send; s += increment) {
const UV k = utf8_to_uvchr((U8*)s, NULL);
+ /* check for invalid utf8 */
+ increment = (k == 0 && *s != '\0') ? 1 : UTF8SKIP(s);
+
#ifdef EBCDIC
if (!isprint(k) || k > 256) {
#else
diff --git a/dist/Data-Dumper/t/bugs.t b/dist/Data-Dumper/t/bugs.t
index 3c5d141..ceca4b9 100644
--- a/dist/Data-Dumper/t/bugs.t
+++ b/dist/Data-Dumper/t/bugs.t
@@ -12,7 +12,7 @@ BEGIN {
}
use strict;
-use Test::More tests => 6;
+use Test::More tests => 7;
use Data::Dumper;
{
@@ -85,4 +85,16 @@ Data::Dumper->Dump([*{*STDERR{IO}}]);
ok("ok", #ok
"empty-string glob [perl #72332]");
+# writing out of bounds with malformed utf8
+SKIP: {
+ eval { require Encode };
+ skip("Encode not available", 1) if $@;
+ local $^W=1;
+ local $SIG{__WARN__} = sub {};
+ my $a="\x{fc}'" x 50;
+ Encode::_utf8_on($a);
+ Dumper $a;
+ ok("ok", "no crash dumping malformed utf8 with the utf8 flag on");
+}
+
# EOF
--
1.7.2.3
|
From @cpansproutOn Sun Nov 07 10:37:56 2010, ntyni@debian.org wrote:
Thank you. Applied as 7d3a730. |
The RT System itself - Status changed from 'new' to 'open' |
@cpansprout - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#78898 (status was 'resolved')
Searchable as RT78898$
The text was updated successfully, but these errors were encountered: