From @ppisar

This is a bug report for perl from ppisar@​redhat.com,
generated with the help of perlbug 1.40 running under perl 5.22.1.

There are various places where PerlMemShared_realloc() function is called. The
function reduces to realloc(3) that can return NULL if operating system is
unable to do the reallocation. However, PerlMemShared_realloc() inovacants do
not check for the NULL return value. I would expect to call croak_no_mem() in
that case.

An example is ptable_split() in ext/arybase/ptable.h​:

ary = (ptable_ent **)PerlMemShared_realloc(ary, newsize * sizeof(*ary));
Zero(&ary[oldsize], newsize - oldsize, sizeof(*ary));

If PerlMemShared_realloc() returns NULL, not only the "ary" memory is lost,
but also subsequent Zero() will write to a wrong place.

Did I overlook something, or should that be fixed?

Flags​:
  category=core
  severity=low

Site configuration information for perl 5.22.1​:

Configured by Red Hat, Inc. at Wed Mar 2 13​:26​:46 UTC 2016.

Summary of my perl5 (revision 5 version 22 subversion 1) configuration​:
 
  Platform​:
  osname=linux, osvers=4.3.5-300.fc23.x86_64, archname=x86_64-linux-thread-multi
  uname='linux buildvm-19.phx2.fedoraproject.org 4.3.5-300.fc23.x86_64 #1 smp mon feb 1 03​:18​:41 utc 2016 x86_64 x86_64 x86_64 gnulinux '
  config_args='-des -Doptimize=none -Dccflags=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Dldflags=-Wl,-z,relro -Dccdlflags=-Wl,--enable-new-dtags -Wl,-z,relro -Dlddlflags=-shared -Wl,-z,relro -Dshrpdir=/usr/lib64 -DDEBUGGING=-g -Dversion=5.22.1 -Dmyhostname=localhost -Dperladmin=root@​localhost -Dcc=gcc -Dcf_by=Red Hat, Inc. -Dprefix=/usr -Dvendorprefix=/usr -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl5 -Dsitearch=/usr/local/lib64/perl5 -Dprivlib=/usr/share/perl5 -Dvendorlib=/usr/share/perl5/vendor_perl -Darchlib=/usr/lib64/perl5 -Dvendorarch=/usr/lib64/perl5/vendor_perl -Darchname=x86_64-linux-thread-multi -Dlibpth=/usr/local/lib64 /lib64 /usr/lib64 -Duseshrplib -Dusethreads -Duseithreads -Dusedtrace=/usr/bin/dtrace -Duselargefiles -Dd_semctl_semun -Di_db -Ui_ndbm -Di_gdbm -Di_shadow -Di_syslog -Dman3ext=3pm -Duseperlio -Dinstall!
usrbinperl=n -Ubincompat5005 -Uversiononly -Dpager=/usr/bin/less -isr -Dd_gethostent_r_proto -Ud_endhostent_r_proto -Ud_sethostent_r_proto -Ud_endprotoent_r_proto -Ud_setprotoent_r_proto -Ud_endservent_r_proto -Ud_setservent_r_proto -Dscriptdir=/usr/bin -Dusesitecustomize'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='gcc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fwrapv -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize=' -g',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fwrapv -fno-strict-aliasing -I/usr/local/include'
  ccversion='', gccversion='5.3.1 20151207 (Red Hat 5.3.1-2)', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='gcc', ldflags ='-Wl,-z,relro -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib64 /lib64 /usr/lib64 /usr/local/lib /usr/lib /lib/../lib64 /usr/lib/../lib64 /lib
  libs=-lpthread -lresolv -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
  perllibs=-lpthread -lresolv -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=true, libperl=libperl.so
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,--enable-new-dtags -Wl,-z,relro '
  cccdlflags='-fPIC', lddlflags='-shared -Wl,-z,relro -L/usr/local/lib -fstack-protector-strong'

Locally applied patches​:
  Fedora Patch1​: Removes date check, Fedora/RHEL specific
  Fedora Patch3​: support for libdir64
  Fedora Patch4​: use libresolv instead of libbind
  Fedora Patch5​: USE_MM_LD_RUN_PATH
  Fedora Patch6​: Skip hostname tests, due to builders not being network capable
  Fedora Patch7​: Dont run one io test due to random builder failures
  Fedora Patch15​: Define SONAME for libperl.so
  Fedora Patch16​: Install libperl.so to -Dshrpdir value
  Fedora Patch22​: Document Math​::BigInt​::CalcEmu requires Math​::BigInt (CPAN RT#85015)
  Fedora Patch26​: Make *DBM_File desctructors thread-safe (RT#61912)
  Fedora Patch27​: Make PadlistNAMES() lvalue again (CPAN RT#101063)
  Fedora Patch28​: Make magic vtable writable as a work-around for Coro (CPAN RT#101063)
  Fedora Patch29​: Fix CVE-2016-2381 (ambiguous environment variables handling)
  Fedora Patch200​: Link XS modules to libperl.so with EU​::CBuilder on Linux
  Fedora Patch201​: Link XS modules to libperl.so with EU​::MM on Linux

@​INC for perl 5.22.1​:
  /usr/local/lib64/perl5
  /usr/local/share/perl5
  /usr/lib64/perl5/vendor_perl
  /usr/share/perl5/vendor_perl
  /usr/lib64/perl5
  /usr/share/perl5
  .

Environment for perl 5.22.1​:
  HOME=/home/petr
  LANG=cs_CZ.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/petr/bin​:/usr/lib64/qt-3.3/bin​:/usr/lib64/ccache​:/usr/libexec/icecc/bin​:/usr/local/bin​:/usr/bin​:/usr/local/sbin​:/usr/sbin
  PERL_BADLANG (unset)
  SHELL=/bin/bash

From @demerphq

On 14 June 2016 at 11​:03, Petr Pisar <perlbug-followup@​perl.org> wrote​:

# New Ticket Created by Petr Pisar
# Please include the string​: [perl #128400]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=128400 >

This is a bug report for perl from ppisar@​redhat.com,
generated with the help of perlbug 1.40 running under perl 5.22.1.

-----------------------------------------------------------------

There are various places where PerlMemShared_realloc() function is called. The
function reduces to realloc(3) that can return NULL if operating system is
unable to do the reallocation. However, PerlMemShared_realloc() inovacants do
not check for the NULL return value. I would expect to call croak_no_mem() in
that case.

An example is ptable_split() in ext/arybase/ptable.h​:

ary = (ptable_ent **)PerlMemShared_realloc(ary, newsize * sizeof(*ary));
Zero(&ary[oldsize], newsize - oldsize, sizeof(*ary));

If PerlMemShared_realloc() returns NULL, not only the "ary" memory is lost,
but also subsequent Zero() will write to a wrong place.

Did I overlook something, or should that be fixed?

It should be fixed.

Yves

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Tue, Jun 14, 2016 at 03​:56​:07PM +0200, demerphq wrote​:

If PerlMemShared_realloc() returns NULL, not only the "ary" memory is lost,
but also subsequent Zero() will write to a wrong place.

Did I overlook something, or should that be fixed?

It should be fixed.

Agreed.

I guess we should use a wrapper function (c.f. Perl_safesysmalloc() for
normal mallocs) that checks args / return value and does croak_no_mem() if
necessary.

Presumably PerlMemShared_malloc and _calloc suffer from similar
problems?

--
"You may not work around any technical limitations in the software"
  -- Windows Vista license