From @geeknik

Found while fuzzing Perl v5.23.8 (v5.23.7-12-g78e3ac8) with American Fuzzy Lop. This crash affects Perl 5.14.2 and 5.20.2 as well.

perl -e '{}for unpack q{p},*0;{}'

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S​:106
106 ../sysdeps/x86_64/strlen.S​: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S​:106
#1 0x00000000009da67c in Perl_newSVpv (
  s=0x303a3a6e69616d2a <error​: Cannot access memory at address 0x303a3a6e69616d2a>, len=len@​entry=0) at sv.c​:9161
#2 0x0000000000e54a28 in S_unpack_rec (symptr=symptr@​entry=0x7fffffffe030,
  s=0x12304e8 "", s@​entry=0x12304e0 "*main​::0",
  strbeg=strbeg@​entry=0x12304e0 "*main​::0",
  strend=strend@​entry=0x12304e8 "", new_s=new_s@​entry=0x0) at pp_pack.c​:1564
#3 0x0000000000eda29d in Perl_unpackstring (pat=pat@​entry=0x123f380 "p",
  patend=0x123f381 "", s=0x12304e0 "*main​::0", strend=0x12304e8 "",
  flags=flags@​entry=0) at pp_pack.c​:835
#4 0x0000000000edb2df in Perl_pp_unpack () at pp_pack.c​:1839
#5 0x00000000007e901f in Perl_runops_debug () at dump.c​:2224
#6 0x0000000000545266 in S_run_body (oldscope=1) at perl.c​:2466
#7 perl_run (my_perl=<optimized out>) at perl.c​:2389
#8 0x000000000042bf68 in main (argc=2, argv=0x7fffffffe378,
  env=0x7fffffffe390) at perlmain.c​:116

==55317== Invalid read of size 1
==55317== at 0x4C2ABC2​: strlen (vg_replace_strmem.c​:454)
==55317== by 0x9DA67B​: Perl_newSVpv (sv.c​:9161)
==55317== by 0xE54A27​: S_unpack_rec (pp_pack.c​:1564)
==55317== by 0xEDA29C​: Perl_unpackstring (pp_pack.c​:835)
==55317== by 0xEDB2DE​: Perl_pp_unpack (pp_pack.c​:1839)
==55317== by 0x7E901E​: Perl_runops_debug (dump.c​:2224)
==55317== by 0x545265​: S_run_body (perl.c​:2466)
==55317== by 0x545265​: perl_run (perl.c​:2389)
==55317== by 0x42BF67​: main (perlmain.c​:116)
==55317== Address 0x303a3a6e69616d2a is not stack'd, malloc'd or (recently) free'd
==55317==
==55317==
==55317== Process terminating with default action of signal 11 (SIGSEGV)
==55317== General Protection Fault
==55317== at 0x4C2ABC2​: strlen (vg_replace_strmem.c​:454)
==55317== by 0x9DA67B​: Perl_newSVpv (sv.c​:9161)
==55317== by 0xE54A27​: S_unpack_rec (pp_pack.c​:1564)
==55317== by 0xEDA29C​: Perl_unpackstring (pp_pack.c​:835)
==55317== by 0xEDB2DE​: Perl_pp_unpack (pp_pack.c​:1839)
==55317== by 0x7E901E​: Perl_runops_debug (dump.c​:2224)
==55317== by 0x545265​: S_run_body (perl.c​:2466)
==55317== by 0x545265​: perl_run (perl.c​:2389)
==55317== by 0x42BF67​: main (perlmain.c​:116)
Segmentation fault

From @tonycoz

On Fri Jan 22 11​:21​:56 2016, brian.carpenter@​gmail.com wrote​:

Found while fuzzing Perl v5.23.8 (v5.23.7-12-g78e3ac8) with American
Fuzzy Lop. This crash affects Perl 5.14.2 and 5.20.2 as well.

perl -e '{}for unpack q{p},*0;{}'

The p unpack type uses the supplied value as a pointer, feeding it some random value is likely to crash.

Rejecting.

Tony

The RT System itself - Status changed from 'new' to 'open'

@tonycoz - Status changed from 'open' to 'rejected'