null ptr deref -> S_clear_yystack (perly.c:218) #14738
Comments
From @geeknikThe attached "script" causes a null ptr deref and seg fault in Perl v5.23.0 (v5.22.0-63-g216b41c): syntax error at test199-min line 1, near "0}" Program received signal SIGSEGV, Segmentation fault. syntax error at test199-min line 1, near "0}" It also causes a null ptr deref and seg fault in Perl v5.21.7 (v5.21.6-602-ge9d2bd8), albeit in a different location and file: Program received signal SIGSEGV, Segmentation fault. ==60285== Invalid read of size 8 This bug was found with AFL (http://lcamtuf.coredump.cx/afl/). |
From @geeknik |
From @geeknikConfirmed to still affect Perl v5.23.2 (v5.23.1-27-g5cce15f). |
From [Unknown Contact. See original ticket]Confirmed to still affect Perl v5.23.2 (v5.23.1-27-g5cce15f). |
From @rjbsAnybody had a chance to look into this yet? -- |
|
The RT System itself - Status changed from 'new' to 'open' |
|
@rjbs - Status changed from 'open' to 'resolved' |
From @shlomifOn Thu Sep 03 18:46:38 2015, rjbs wrote:
I've taken a look now, and here's a tentative, symptomatic patch, which adds a test and passes the new test and all existing tests. I'm not sure it's the proper way to fix it. Regards, — Shlomi |
From @shlomif0001-Tentative-fix-for-RT-125350-AFL-detected-crash.patchFrom 0226391da24e773e63b8c7044c7069bd713e7d13 Mon Sep 17 00:00:00 2001
From: Shlomi Fish <shlomif@shlomifish.org>
Date: Fri, 4 Sep 2015 22:26:12 +0300
Subject: [PATCH] Tentative fix for RT#125350 - AFL detected crash.
---
perly.c | 2 +-
t/base/lex.t | 8 +++++++-
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/perly.c b/perly.c
index abb4d4e..91b4c79 100644
--- a/perly.c
+++ b/perly.c
@@ -213,7 +213,7 @@ S_clear_yystack(pTHX_ const yy_parser *parser)
if (yy_type_tab[yystos[ps->state]] == toketype_opval
&& ps->val.opval)
{
- if (ps->compcv != PL_compcv) {
+ if (ps->compcv && (ps->compcv != PL_compcv)) {
PL_compcv = ps->compcv;
PAD_SET_CUR_NOSAVE(CvPADLIST(PL_compcv), 1);
PL_comppad_name = PadlistNAMES(CvPADLIST(PL_compcv));
diff --git a/t/base/lex.t b/t/base/lex.t
index 47c6be8..981b2e5 100644
--- a/t/base/lex.t
+++ b/t/base/lex.t
@@ -1,6 +1,6 @@
#!./perl
-print "1..103\n";
+print "1..104\n";
$x = 'x';
@@ -517,3 +517,9 @@ eval q|s##[}#e|;
eval '0; qq{@{sub{]]}}}}}';
print "ok $test - 124385\n"; $test++;
}
+
+{
+ # Used to crash [perl #125350]
+ eval ('qq{@{[0}*sub{]]}}}=sub{0' . "\c[");
+ print "ok $test - 125350\n"; $test++;
+}
--
2.4.5
|
From @rurbanOn Fri Sep 04 12:33:34 2015, shlomif wrote:
LGTM -- |
From @jkeenanOn Fri Sep 04 12:33:34 2015, shlomif wrote:
Discussed on #p5p this afternoon. The patch looks good, includes a test, appears to address the immediate problem. We figure the only way we'll flush out other problems is by pushing it to blead and letting the world have at it. Pushed to blead in commit a293d0f. I'll take the ticket for the purpose of closing it within 7 days unless there is objection or bad test results. Thank you very much. -- |
From @jkeenanRe-opening pending completion of the 7-day period specified in previous post. (The ticket was marked Resolved earlier this month, but that appears to have been an error.) -- |
|
@jkeenan - Status changed from 'resolved' to 'open' |
From @jkeenanResolved as per schedule described in previous post. -- |
|
@jkeenan - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#125350 (status was 'resolved')
Searchable as RT125350$
The text was updated successfully, but these errors were encountered: