-
Notifications
You must be signed in to change notification settings - Fork 559
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assertion failed: Perl_sv_2iv_flags (sv.c:2435) #14941
Comments
From @geeknikFuzzing perl v5.23.4 (v5.23.3-7-ge120c24) with AFL found the following assertion failure: perl -e '{$0{@{[()[[]=~m[@]]*0]}}}{}' perl: sv.c:2435: Perl_sv_2iv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. Program received signal SIGABRT, Aborted. Script doesn't appear to affect v5.21.7 (v5.21.6-602-ge9d2bd8) in any way. |
From @dcollinsnGreetings Porters, I have compiled bleadperl with the afl-gcc compiler using: ./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des And then fuzzed the resulting binary using: AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@ After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file: ($0[(((0/[(())])[()]))]) On standard perls, this results in a SIGSEGV. In debugging perls, this results in the following output: perl: sv.c:2435: Perl_sv_2iv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. **GDB** (gdb) run Program received signal SIGSEGV, Segmentation fault. **VALGRIND** ==6349== Memcheck, a memory error detector **PERL -V** Summary of my perl5 (revision 5 version 23 subversion 4) configuration: Characteristics of this binary (from libperl): |
From [email protected]I performed some additional reduction by hand. The following causes $0[()[()]] |
|
The RT System itself - Status changed from 'new' to 'open' |
From @geeknikOn Mon Oct 12 04:37:26 2015, victor@drawall.cc wrote:
Probably a dupe of https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126193. |
From [Unknown Contact. See original ticket]On Mon Oct 12 04:37:26 2015, victor@drawall.cc wrote:
Probably a dupe of https://rt-archive.perl.org/perl5/Ticket/Display.html?id=126193. |
From @tonycozOn Mon Oct 12 11:52:59 2015, brian.carpenter@gmail.com wrote:
Looks like it to me, so I've merged them. The attached patch fixes the problem for me. Tony |
From @tonycoz0001-perl-126193-don-t-use-a-trash-SV-if-no-indexes-are-p.patchFrom c902887933f2025fd547357674c2699a1a95c96f Mon Sep 17 00:00:00 2001
From: Tony Cook <[email protected]>
Date: Wed, 11 Nov 2015 15:57:09 +1100
Subject: [perl #126193] don't use a trash SV if no indexes are provided to
pp_lslice
---
pp.c | 23 ++++++++++++++---------
t/op/list.t | 5 ++++-
2 files changed, 18 insertions(+), 10 deletions(-)
diff --git a/pp.c b/pp.c
index 35a5f26..7301d8b 100644
--- a/pp.c
+++ b/pp.c
@@ -5268,15 +5268,20 @@ PP(pp_lslice)
SV **lelem;
if (GIMME_V != G_ARRAY) {
- I32 ix = SvIV(*lastlelem);
- if (ix < 0)
- ix += max;
- if (ix < 0 || ix >= max)
- *firstlelem = &PL_sv_undef;
- else
- *firstlelem = firstrelem[ix];
- SP = firstlelem;
- RETURN;
+ if (lastlelem < firstlelem) {
+ *firstlelem = &PL_sv_undef;
+ }
+ else {
+ I32 ix = SvIV(*lastlelem);
+ if (ix < 0)
+ ix += max;
+ if (ix < 0 || ix >= max)
+ *firstlelem = &PL_sv_undef;
+ else
+ *firstlelem = firstrelem[ix];
+ }
+ SP = firstlelem;
+ RETURN;
}
if (max == 0) {
diff --git a/t/op/list.t b/t/op/list.t
index c7056d0..9fe00a4 100644
--- a/t/op/list.t
+++ b/t/op/list.t
@@ -6,7 +6,7 @@ BEGIN {
require "./test.pl";
}
-plan( tests => 69 );
+plan( tests => 70 );
@foo = (1, 2, 3, 4);
cmp_ok($foo[0], '==', 1, 'first elem');
@@ -217,3 +217,6 @@ sub empty {}
tie $t, "";
() = (empty(), ($t)x10); # empty() since sub calls usually result in copies
is(tied($t)->{fetched}, undef, 'assignment to empty list makes no copies');
+
+# this was passing a trash SV at the top of the stack to SvIV()
+ok(($0[()[()]],1), "[perl #126193] list slice with zero indexes");
--
2.1.4
|
|
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Tue Nov 10 20:59:32 2015, tonyc wrote:
Applied as 9e59c36. Tony |
|
@tonycoz - Status changed from 'open' to 'pending release' |
From @khwilliamsonThank you for submitting this report. You have helped make Perl better. Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0 |
|
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#126193 (status was 'resolved')
Searchable as RT126193$
The text was updated successfully, but these errors were encountered: