New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
null ptr deref + segfault in Perl_sv_setpv_bufsize (sv.c:4956) #15740
Comments
From @geeknikTriggered while fuzzing Perl v5.25.7-26-g7332835. ./perl -e '$$.=$A=*$=0'
|
From @arcBrian Carpenter <perlbug-followup@perl.org> wrote:
This can be reduced to: $x .= *x = 0 The segfault comes from the SvPVCLEAR() in this block of pp_concat(): else { /* $l .= $r and left == TARG */ As far as I can tell, TARG has already been freed here (by the *x = 0) -- |
The RT System itself - Status changed from 'new' to 'open' |
From @iabynOn Mon, Jan 02, 2017 at 07:17:59PM +0000, Aaron Crane wrote:
Yes. If the stack were refcounted, $x wouldn't be freed by *x = 0. -- |
Migrated from rt.perl.org#130224 (status was 'open')
Searchable as RT130224$
The text was updated successfully, but these errors were encountered: