Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double-free in Perl_free_tmps #14943

Open
p5pRT opened this issue Sep 26, 2015 · 3 comments
Open

Double-free in Perl_free_tmps #14943

p5pRT opened this issue Sep 26, 2015 · 3 comments

Comments

@p5pRT
Copy link

p5pRT commented Sep 26, 2015

Migrated from rt.perl.org#126199 (status was 'open')

Searchable as RT126199$
@p5pRT
Copy link
Author

p5pRT commented Sep 26, 2015

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and filtering out testcases that are merely iterations of "#!perl -u", I have located the following testcase that triggers a double free in the perl interpreter. The testcase is the 134-character file​:

du_S.Ak.SA.=$[.=_.Ak.SA.=$[.=$[=$$$_S.Ak.S.=$[.=$[=$$$A.k.SA.=$[.=*[=$$$_S.AkAk.SA.=%[=__S.Ak.SA.=$[.=$[=$S.Ak.SA.=$[.=_.Ak.SA.=$[.$$$

Any attempt to reduce this testcase causes the bug to disappear.

dcollins@​nightshade​:/usr/local/perl-afl/out$ ../bin/perl f2/crashes/id\​:000000\,sig\​:06\,src\​:006941+020231\,op\​:splice\,rep\​:2ig\​:06\,src\
*** Error in `../bin/perl'​: double free or corruption (!prev)​: 0x0a21c3f0 ***
======= Backtrace​: =========
/lib/libc.so.6(+0x68c9b)[0xb7589c9b]
/lib/libc.so.6(+0x6eef7)[0xb758fef7]
/lib/libc.so.6(+0x6f6a1)[0xb75906a1]
../bin/perl(Perl_sv_clear+0x609)[0x838b2c9]
../bin/perl(Perl_sv_free2+0x191)[0x8386cd1]
../bin/perl(Perl_free_tmps+0x27a)[0x845e6ea]
../bin/perl(perl_run+0xaf5)[0x8116ec5]
../bin/perl(main+0x392)[0x8068972]
/lib/libc.so.6(__libc_start_main+0xf7)[0xb7539447]
../bin/perl[0x80689d7]
======= Memory map​: ========
08048000-087d8000 r-xp 00000000 08​:01 192212 /usr/local/perl-afl/bin/perl
087d8000-087da000 rw-p 00790000 08​:01 192212 /usr/local/perl-afl/bin/perl
0a215000-0a258000 rw-p 00000000 00​:00 0 [heap]
b7200000-b7221000 rw-p 00000000 00​:00 0
b7221000-b7300000 ---p 00000000 00​:00 0
b7364000-b7380000 r-xp 00000000 08​:01 1219379 /usr/local/lib/libgcc_s.so.1
b7380000-b7381000 rw-p 0001b000 08​:01 1219379 /usr/local/lib/libgcc_s.so.1
b7391000-b751f000 r--p 00000000 08​:01 1209425 /usr/lib/locale/locale-archive
b751f000-b7521000 rw-p 00000000 00​:00 0
b7521000-b76d1000 r-xp 00000000 08​:01 858184 /lib/libc-2.22.so
b76d1000-b76d3000 r--p 001b0000 08​:01 858184 /lib/libc-2.22.so
b76d3000-b76d4000 rw-p 001b2000 08​:01 858184 /lib/libc-2.22.so
b76d4000-b76d7000 rw-p 00000000 00​:00 0
b76d7000-b76d9000 r-xp 00000000 08​:01 858182 /lib/libutil-2.22.so
b76d9000-b76da000 r--p 00001000 08​:01 858182 /lib/libutil-2.22.so
b76da000-b76db000 rw-p 00002000 08​:01 858182 /lib/libutil-2.22.so
b76db000-b76e4000 r-xp 00000000 08​:01 439490 /lib/libcrypt-2.22.so
b76e4000-b76e5000 r--p 00008000 08​:01 439490 /lib/libcrypt-2.22.so
b76e5000-b76e6000 rw-p 00009000 08​:01 439490 /lib/libcrypt-2.22.so
b76e6000-b770e000 rw-p 00000000 00​:00 0
b770e000-b7759000 r-xp 00000000 08​:01 858147 /lib/libm-2.22.so
b7759000-b775a000 r--p 0004b000 08​:01 858147 /lib/libm-2.22.so
b775a000-b775b000 rw-p 0004c000 08​:01 858147 /lib/libm-2.22.so
b775b000-b775e000 r-xp 00000000 08​:01 858149 /lib/libdl-2.22.so
b775e000-b775f000 r--p 00002000 08​:01 858149 /lib/libdl-2.22.so
b775f000-b7760000 rw-p 00003000 08​:01 858149 /lib/libdl-2.22.so
b7760000-b7777000 r-xp 00000000 08​:01 858160 /lib/libnsl-2.22.so
b7777000-b7778000 r--p 00016000 08​:01 858160 /lib/libnsl-2.22.so
b7778000-b7779000 rw-p 00017000 08​:01 858160 /lib/libnsl-2.22.so
b7779000-b777b000 rw-p 00000000 00​:00 0
b777b000-b7794000 r-xp 00000000 08​:01 439491 /lib/libpthread-2.22.so
b7794000-b7795000 r--p 00018000 08​:01 439491 /lib/libpthread-2.22.so
b7795000-b7796000 rw-p 00019000 08​:01 439491 /lib/libpthread-2.22.so
b7796000-b7798000 rw-p 00000000 00​:00 0
b779c000-b779d000 rw-p 00000000 00​:00 0
b779d000-b77a7000 r-xp 00000000 08​:01 216674 /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld/auto/arybase/arybase.so
b77a7000-b77a8000 rw-p 00009000 08​:01 216674 /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld/auto/arybase/arybase.so
b77a8000-b77a9000 rw-p 00000000 00​:00 0
b77a9000-b77aa000 r-xp 00000000 00​:00 0 [vdso]
b77aa000-b77cc000 r-xp 00000000 08​:01 858183 /lib/ld-2.22.so
b77cc000-b77cd000 r--p 00021000 08​:01 858183 /lib/ld-2.22.so
b77cd000-b77ce000 rw-p 00022000 08​:01 858183 /lib/ld-2.22.so
bf88d000-bf8a2000 rw-p 00000000 00​:00 0 [stack]
Aborted

**GDB**

Program received signal SIGABRT, Aborted.
0xb7fdb424 in __kernel_vsyscall ()
(gdb) bt
#0 0xb7fdb424 in __kernel_vsyscall ()
#1 0xb7d7ebd6 in __GI_raise (sig=6) at ../sysdeps/unix/sysv/linux/raise.c​:55
#2 0xb7d801a7 in __GI_abort () at abort.c​:89
#3 0xb7dbbca0 in __libc_message (do_abort=2,
  fmt=0xb7eb31d0 "*** Error in `%s'​: %s​: 0x%s ***\n")
  at ../sysdeps/posix/libc_fatal.c​:175
#4 0xb7dc1ef7 in malloc_printerr (action=<optimized out>,
  str=0xb7eb3240 "double free or corruption (!prev)", ptr=<optimized out>,
  ar_ptr=0xb7f05780 <main_arena>) at malloc.c​:5000
#5 0xb7dc26a1 in _int_free (av=0xb7f05780 <main_arena>, p=<optimized out>,
  have_lock=0) at malloc.c​:3861
#6 0x0838b2c9 in Perl_sv_clear (orig_sv=0x87ece88) at sv.c​:6606
#7 0x08386cd1 in Perl_sv_free2 (sv=0x87ece88, rc=1) at sv.c​:6881
#8 0x0845e6ea in S_SvREFCNT_dec_NN (sv=<optimized out>) at inline.h​:177
#9 Perl_free_tmps () at scope.c​:182
#10 0x08116ec5 in perl_run (my_perl=0x87da008) at perl.c​:2384
#11 0x08068972 in main (argc=2, argv=0xbffff484, env=0xbffff490)
  at perlmain.c​:116
(gdb)

**VALGRIND**

As usual, valgrind seems to modify the behavior slightly, but this call to memmove() on blocks of memory that are already freed seems to be quite relevant.

dcollins@​nightshade​:/usr/local/perl-afl/out$ valgrind ../bin/perl f2/crashes/id\​:000000\,sig\​:06\,src\​:006941+020231\,op\​:splice\,rep\​:2
==28572== Memcheck, a memory error detector
==28572== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==28572== Using Valgrind-3.10.1 and LibVEX; rerun with -h for copyright info
==28572== Command​: ../bin/perl f2/crashes/id​:000000,sig​:06,src​:006941+020231,op​:splice,rep​:2
==28572==
==28572== Invalid write of size 1
==28572== at 0x83CB717​: Perl_sv_setpvn (sv.c​:4851)
==28572== by 0x835594F​: Perl_pp_concat (pp_hot.c​:286)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572== Invalid write of size 4
==28572== at 0x402DAB2​: __GI_memmove (vg_replace_strmem.c​:1110)
==28572== by 0x83C7194​: memmove (string3.h​:59)
==28572== by 0x83C7194​: Perl_sv_catpvn_flags (sv.c​:5370)
==28572== by 0x83555B4​: Perl_pp_concat (pp_hot.c​:310)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572== Invalid write of size 2
==28572== at 0x402DB23​: __GI_memmove (vg_replace_strmem.c​:1110)
==28572== by 0x83C7194​: memmove (string3.h​:59)
==28572== by 0x83C7194​: Perl_sv_catpvn_flags (sv.c​:5370)
==28572== by 0x83555B4​: Perl_pp_concat (pp_hot.c​:310)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x4303244 is 2 bytes after a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572== Invalid write of size 1
==28572== at 0x83C71D8​: Perl_sv_catpvn_flags (sv.c​:5392)
==28572== by 0x83555B4​: Perl_pp_concat (pp_hot.c​:310)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x4303246 is 4 bytes after a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572== Invalid read of size 1
==28572== at 0x402DAE0​: __GI_memmove (vg_replace_strmem.c​:1110)
==28572== by 0x83C7194​: memmove (string3.h​:59)
==28572== by 0x83C7194​: Perl_sv_catpvn_flags (sv.c​:5370)
==28572== by 0x83555B4​: Perl_pp_concat (pp_hot.c​:310)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x4303238 is 0 bytes inside a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572== Invalid read of size 1
==28572== at 0x402DAEB​: __GI_memmove (vg_replace_strmem.c​:1110)
==28572== by 0x83C7194​: memmove (string3.h​:59)
==28572== by 0x83C7194​: Perl_sv_catpvn_flags (sv.c​:5370)
==28572== by 0x83555B4​: Perl_pp_concat (pp_hot.c​:310)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572== Address 0x430323a is 2 bytes inside a block of size 10 free'd
==28572== at 0x402B0B0​: free (vg_replace_malloc.c​:473)
==28572== by 0x838B2C8​: Perl_sv_clear (sv.c​:6606)
==28572== by 0x8386CD0​: Perl_sv_free2 (sv.c​:6881)
==28572== by 0x811B455​: S_SvREFCNT_dec (inline.h​:166)
==28572== by 0x811B455​: Perl_gp_free (gv.c​:2539)
==28572== by 0x83AB7C8​: Perl_sv_setsv_flags (sv.c​:4507)
==28572== by 0x835392E​: Perl_pp_sassign (pp_hot.c​:225)
==28572== by 0x835106A​: Perl_runops_standard (run.c​:41)
==28572== by 0x8116EB6​: S_run_body (perl.c​:2456)
==28572== by 0x8116EB6​: perl_run (perl.c​:2379)
==28572== by 0x8068971​: main (perlmain.c​:116)
==28572==
==28572==
==28572== HEAP SUMMARY​:
==28572== in use at exit​: 136,520 bytes in 805 blocks
==28572== total heap usage​: 1,414 allocs, 609 frees, 226,471 bytes allocated
==28572==
==28572== LEAK SUMMARY​:
==28572== definitely lost​: 0 bytes in 0 blocks
==28572== indirectly lost​: 0 bytes in 0 blocks
==28572== possibly lost​: 16,925 bytes in 9 blocks
==28572== still reachable​: 119,595 bytes in 796 blocks
==28572== suppressed​: 0 bytes in 0 blocks
==28572== Rerun with --leak-check=full to see details of leaked memory
==28572==
==28572== For counts of detected and suppressed errors, rerun with​: -v
==28572== ERROR SUMMARY​: 21 errors from 6 contexts (suppressed​: 0 from 0)

**PERL -V**

dcollins@​nightshade​:/usr/local/perl-afl/out$ ../bin/perl -V
Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 7a36e61
  Platform​:
  osname=linux, osvers=2.6.32-5-686, archname=i686-linux-64int-ld
  uname='linux nightshade 2.6.32-5-686 #1 smp tue may 13 16​:33​:32 utc 2014 i686 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=undef, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12, longdblkind=3
  ivtype='long long', ivsize=8, nvtype='long double', nvsize=12, Off_t='off_t', lseeksize=8
  alignbytes=4, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/i686-pc-linux-gnu/5.2.0/include-fixed /usr/lib /lib/../lib /usr/lib/../lib /lib /usr/lib/i486-linux-gnu /usr/lib64
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_INT
  USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME
  USE_LONG_DOUBLE USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Sep 24 2015 13​:01​:10
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/i686-linux-64int-ld
  /usr/local/perl-afl/lib/5.23.4
  /usr/local/perl-afl/lib/site_perl/5.23.3
  /usr/local/perl-afl/lib/site_perl/5.23.2
  /usr/local/perl-afl/lib/site_perl
  .

@p5pRT
Copy link
Author

p5pRT commented Sep 26, 2015

From perl@profvince.com

Le 26/09/2015 16​:42, Dan Collins (via RT) a écrit :

# New Ticket Created by Dan Collins
# Please include the string​: [perl #126199]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126199 >

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitint -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and filtering out testcases that are merely iterations of "#!perl -u", I have located the following testcase that triggers a double free in the perl interpreter. The testcase is the 134-character file​:

du_S.Ak.SA.=$[.=_.Ak.SA.=$[.=$[=$$$_S.Ak.S.=$[.=$[=$$$A.k.SA.=$[.=*[=$$$_S.AkAk.SA.=%[=__S.Ak.SA.=$[.=$[=$S.Ak.SA.=$[.=_.Ak.SA.=$[.$$$

Using a debugging and poisonous perl, I can reduce this to :

$[ .= *[ = 'y'

which seems to be yet another incarnation of the "stack is not
refcounted" bug.

Vincent

@p5pRT
Copy link
Author

p5pRT commented Sep 26, 2015

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT