Skip Menu |
Report information
Id: 123874
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: hv <hv [at] crypt.org>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: 5.22.0



Subject: pack underflow
Download (untitled) / with headers
text/plain 789b
AFL (<http://lcamtuf.coredump.cx/afl/>) finds this: % ./miniperl -e 'pack "pi/x"' Segmentation fault (core dumped) % This occurs because the NEXTFROM macro leaves items == -1, and we then end up trying to Zero(cur, len, char) with len == -1. The code fix is below, will push once I've added a test. Hugo --- a/pp_pack.c +++ b/pp_pack.c @@ -2094,7 +2094,7 @@ S_pack_rec(pTHX_ SV *cat, tempsym_t* symptr, SV **beglist, SV **endlist ) char *cur = start + SvCUR(cat); bool needs_swap; -#define NEXTFROM (lengthcode ? lengthcode : items-- > 0 ? *beglist++ : &PL_sv_no) +#define NEXTFROM (lengthcode ? lengthcode : items > 0 ? (--items, *beglist++) : &PL_sv_no) #define PEEKFROM (lengthcode ? lengthcode : items > 0 ? *beglist : &PL_sv_no) switch (howlen) {
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 234b
Now fixed by fc1bb3f2dc: [perl #123874] fix argument underflow for pack() NEXTFROM() modified the item count while testing it, so the next use saw the count (of -1) as non-zero and ended up trying to write ~1 bytes.
Download (untitled) / with headers
text/plain 200b
Thank you for submitting this ticket. The issue should now be resolved with the release today of Perl v5.22, which is available at http://www.perl.org/get.html -- Karl Williamson for the Perl 5 team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org