Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

commit "utf8.h, et.al.: Clean up some casts" causes "../t/re/pat_advanced.t .. panic: my_snprintf buffer overflow" #15156

Closed
p5pRT opened this issue Jan 29, 2016 · 5 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 29, 2016

Migrated from rt.perl.org#127426 (status was 'resolved')

Searchable as RT127426$

@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2016

From @bulk88

Created by @bulk88

Tried a DEBUGGING build, first DEBUGGING smoke in a while, with VC 2003,
didn't try any other VCs with DEBUGGING to see if it is reproducible and
dont really care.

bisected to
http​://perl5.git.perl.org/perl.git/commitdiff/4c8cd60559ce65964c5e42f43021ce23dc89819e

I've made 2 branches to show the last good commit and the first bad
commit, due to the VC2003 preprocessor CC crash in
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126045 I had to apply the
tonyc patches to both branches. Since I want put the the RT number in
the branch name, I can't cant push the branches until this ticket is
created.

--------------------------------------------
C​:\perl521\src\win32>cd ..\t & perl harness -v
..\t\re\pat_advanced.t & cd .
.\win32
../t/re/pat_advanced.t .. panic​: my_snprintf buffer overflow at
../t/re/pat_adva
nced.t line 492.
Dubious, test returned 255 (wstat 65280, 0xff00)
No subtests run

Test Summary Report
-------------------
../t/re/pat_advanced.t (Wstat​: 65280 Tests​: 0 Failed​: 0)
  Non-zero exit status​: 255
  Parse errors​: No plan found in TAP output
Files=1, Tests=0, 33 wallclock secs ( 0.05 usr + 0.00 sys = 0.05 CPU)
Result​: FAIL

C​:\perl521\src\win32>
--------------------------------------------

buffer after vsnprintf fills it and fails/truncates
--------------------------------------------
  buffer 0x0012ed74 "FFFF\N{U+" char *
  len 4 const unsigned int
  format 0x2828a304 "%02X." const char *
--------------------------------------------
 
The argument "NATIVE_TO_LATIN1(*str)" passed to my_snprintf is
0xffffffe7 or -25.

With this call stack _vsnprintf returns -1 eventually causing the panic
in Perl_my_snprintf.
--------------------------------------------
  msvcr71.dll!_output(_iobuf * stream=0x0012ebb0, const char *
format=0x2828a304, char * argptr=0x0012ec04) Line 1070 C
  msvcr71.dll!_vsnprintf(char * string=0x0012ed70, unsigned int
count=0x00000004, const char * format=0x2828a304, char * ap=0x0012ec04)
Line 101 + 0x1f C
  perl523.dll!Perl_my_snprintf(char * buffer=0x0012ed70, const
unsigned int len=0x00000004, const char * format=0x2828a304, ...) Line
5226 + 0x16 C
  perl523.dll!S_scan_const(interpreter * my_perl=0x00383de4, char *
start=0x00c61cd4) Line 3597 + 0x1a C
  perl523.dll!Perl_yylex(interpreter * my_perl=0x00383de4) Line 4776
+ 0x16 C
  perl523.dll!Perl_yyparse(interpreter * my_perl=0x00383de4, int
gramtype=0x00000102) Line 322 + 0x9 C
  perl523.dll!S_parse_body(interpreter * my_perl=0x00383de4, char * *
env=0x00384d90, void (interpreter *)* xsinit=0x28268990) Line 2312 +
0xe C
  perl523.dll!perl_parse(interpreter * my_perl=0x00383de4, void
(interpreter *)* xsinit=0x28268990, int argc=0x00000002, char * *
argv=0x00382c90, char * * env=0x00384d90) Line 1634 + 0x11 C
  perl523.dll!RunPerl(int argc=0x00000002, char * * argv=0x00382c90,
char * * env=0x00384d90) Line 245 + 0x1a C++
  perl.exe!main(int argc=0x00000002, char * * argv=0x00382c90, char *
* env=0x00382f28) Line 39 + 0x12 C
  perl.exe!mainCRTStartup() Line 398 + 0xe C
  kernel32.dll!_BaseProcessStart@​4() + 0x23
--------------------------------------------
Curcop is in re/pat_advanced.t
--------------------------------------------
  ok("Fran\N{LATIN SMALL LETTER C}ais" =~ /Fran.ais/ &&
  $& eq "Francais", $message);
  ok("Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais" =~ /Fran.ais/ &&
  $& eq "Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais", $message);
  ok("Fran\N{LATIN SMALL LETTER C}ais" =~ /Fran\Xais/ &&
  $& eq "Francais", $message);
  ok("Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais" =~ /Fran\Xais/ &&
  $& eq "Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais", $message);
  ok("Franc\N{COMBINING CEDILLA}ais" =~ /Fran\Xais/ &&
  $& eq "Franc\N{COMBINING CEDILLA}ais", $message);
  ok("Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais" =~
  /Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais/ &&
<<<<<<<<<<<<<<HERE
  $& eq "Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais", $message);
  ok("Franc\N{COMBINING CEDILLA}ais" =~ /Franc\N{COMBINING
CEDILLA}ais/ &&
  $& eq "Franc\N{COMBINING CEDILLA}ais", $message);

  my @​f = (
  ["Fran\N{LATIN SMALL LETTER C}ais",
"Francais"],
  ["Fran\N{LATIN SMALL LETTER C WITH CEDILLA}ais",
  "Fran\N{LATIN SMALL LETTER C WITH
CEDILLA}ais"],
  ["Franc\N{COMBINING CEDILLA}ais", "Franc\N{COMBINING
CEDILLA}ais"],
  );
--------------------------------------------

Perl Info

Flags:
    category=core
    severity=high

This perlbug was built using Perl 5.23.6 - Thu Jan 28 17:10:24 2016
It is being executed now by  Perl 5.23.6 - Thu Jan 28 17:24:05 2016.

Site configuration information for perl 5.23.6:

Configured by Owner at Thu Jan 28 17:24:05 2016.

Summary of my perl5 (revision 5 version 23 subversion 6) configuration:
  Commit id: 56113e3dbafc3c91bbfd0abbefab97b509053d01
  Platform:
    osname=MSWin32, osvers=5.1, archname=MSWin32-x86-multi-thread
    uname=''
    config_args='undef'
    hint=recommended, useposix=true, d_sigaction=undef
    useithreads=define, usemultiplicity=define
    use64bitint=undef, use64bitall=undef, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cl', ccflags ='-nologo -GF -W3 -Od -MD -Zi -DDEBUGGING -DWIN32 
-D_CONSOLE -DNO_STRICT  -DPERL_TEXTMODE_SCRIPTS -DPERL_IMPLICIT_CONTEXT 
-DPERL_IMPLICIT_SYS -D_USE_32BIT_TIME_T',
    optimize='-Od -MD -Zi -DDEBUGGING',
    cppflags='-DWIN32'
    ccversion='13.10.6030', gccversion='', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234, 
doublekind=3
    d_longlong=undef, longlongsize=8, d_longdbl=define, longdblsize=8, 
longdblkind=0
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='__int64', 
lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='link', ldflags ='-nologo -nodefaultlib -debug        
 -libpath:"c:\perl\lib\CORE"         -machine:x86'
    libpth=\lib
    libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib 
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib 
netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib 
odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib 
comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib 
netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib 
odbc32.lib odbccp32.lib comctl32.lib msvcrt.lib
    libc=msvcrt.lib, so=dll, useshrplib=true, libperl=perl523.lib
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_win32.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' '
    cccdlflags=' ', lddlflags='-dll -nologo -nodefaultlib -debug        
 -libpath:"c:\perl\lib\CORE"         -machine:x86'



@INC for perl 5.23.6:
    C:/perl521/src/lib
    .


Environment for perl 5.23.6:
    HOME (unset)
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=C:\perl521\bin;C:\Program Files\Microsoft Visual Studio .NET 
2003\Common7\IDE;C:\Program Files\Microsoft Visual Studio .NET 
2003\VC7\BIN;C:\Program Files\Microsoft Visual Studio .NET 
2003\Common7\Tools;C:\Program Files\Microsoft Visual Studio .NET 
2003\Common7\Tools\bin\prerelease;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;
    PERL_BADLANG (unset)
    SHELL (unset)


@p5pRT
Copy link
Author

p5pRT commented Feb 1, 2016

From @tonycoz

On Fri Jan 29 10​:40​:41 2016, bulk88 wrote​:

Tried a DEBUGGING build, first DEBUGGING smoke in a while, with VC
2003,
didn't try any other VCs with DEBUGGING to see if it is reproducible
and
dont really care.

bisected to
http​://perl5.git.perl.org/perl.git/commitdiff/4c8cd60559ce65964c5e42f43021ce23dc89819e

I've made 2 branches to show the last good commit and the first bad
commit, due to the VC2003 preprocessor CC crash in
https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126045 I had to apply the
tonyc patches to both branches. Since I want put the the RT number in
the branch name, I can't cant push the branches until this ticket is

This looks like a bug in the patch for #126045.

The newer macros add the casts so the callers don't need them, but the macros used on older MSVC don't include the cast.

Another issue is the test I added triggers when _MSC_VER isn't defined too, so non-MSVC builds are failing with the same error.

I'll push a fix for it soon.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 1, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Feb 1, 2016

From @tonycoz

On Sun Jan 31 18​:16​:54 2016, tonyc wrote​:

I'll push a fix for it soon.

Fixed by 1a3756d.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 1, 2016

@tonycoz - Status changed from 'open' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant