Description
This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.31.6.
[Please describe your issue here]
While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run
under libdislocator, I found the following program
0=~/\p{nV:-0}/
to cause heap-buffer-overflow. ASAN diagnostics are:
==44466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001375 at pc 0x000000db90b1 bp 0x7ffc4c3fe2f0 sp 0x7ffc4c3fe2e8
READ of size 1 at 0x602000001375 thread T0
#0 0xdb90b0 in Perl_my_atof3 /home/afl/afl-asan/numeric.c:1564:14
#1 0x816b5d in Perl_parse_uniprop_string /home/afl/afl-asan/regcomp.c:23624:24
#2 0x88ce21 in S_regclass /home/afl/afl-asan/regcomp.c:17210:44
#3 0x8673b8 in S_regatom /home/afl/afl-asan/regcomp.c:13538:19
#4 0x849b82 in S_regpiece /home/afl/afl-asan/regcomp.c:12404:11
#5 0x849b82 in S_regbranch /home/afl/afl-asan/regcomp.c:12324
#6 0x7a6080 in S_reg /home/afl/afl-asan/regcomp.c:12026:10
#7 0x78122f in Perl_re_op_compile /home/afl/afl-asan/regcomp.c:7738:9
#8 0x55c406 in Perl_pmruntime /home/afl/afl-asan/op.c:8089:6
#9 0x752a87 in Perl_yyparse /home/afl/afl-asan/perly.y:1260:23
#10 0x614bfc in S_parse_body /home/afl/afl-asan/perl.c:2529:9
#11 0x60a9b6 in perl_parse /home/afl/afl-asan/perl.c:1820:2
#12 0x5352bd in main /home/afl/afl-asan/perlmain.c:132:18
#13 0x7f7b3ec4509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#14 0x43ccb9 in _start (/home/afl/afl-asan/perl+0x43ccb9)
0x602000001375 is located 0 bytes to the right of 5-byte region [0x602000001370,0x602000001375)
allocated by thread T0 here:
#0 0x501a90 in malloc (/home/afl/afl-asan/perl+0x501a90)
#1 0x8ded86 in Perl_safesysmalloc /home/afl/afl-asan/util.c:155:21
#2 0x81451c in Perl_parse_uniprop_string /home/afl/afl-asan/regcomp.c:22771:5
#3 0x88ce21 in S_regclass /home/afl/afl-asan/regcomp.c:17210:44
#4 0x8673b8 in S_regatom /home/afl/afl-asan/regcomp.c:13538:19
#5 0x849b82 in S_regpiece /home/afl/afl-asan/regcomp.c:12404:11
#6 0x849b82 in S_regbranch /home/afl/afl-asan/regcomp.c:12324
#7 0x7a6080 in S_reg /home/afl/afl-asan/regcomp.c:12026:10
#8 0x78122f in Perl_re_op_compile /home/afl/afl-asan/regcomp.c:7738:9
#9 0x55c406 in Perl_pmruntime /home/afl/afl-asan/op.c:8089:6
#10 0x752a87 in Perl_yyparse /home/afl/afl-asan/perly.y:1260:23
#11 0x614bfc in S_parse_body /home/afl/afl-asan/perl.c:2529:9
#12 0x60a9b6 in perl_parse /home/afl/afl-asan/perl.c:1820:2
#13 0x5352bd in main /home/afl/afl-asan/perlmain.c:132:18
#14 0x7f7b3ec4509a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
This is regression in blead, bisect points to
commit 14d26b4 (HEAD, refs/bisect/bad)
Author: Tony Cook tony@develop-help.com
AuthorDate: Tue Aug 20 15:43:05 2019 +1000
Commit: Tony Cook tony@develop-help.com
CommitDate: Mon Aug 26 09:42:10 2019 +1000
(perl #134230) don't interpret 0x, 0b when numifying strings
[Please do not change anything below this line]
Flags:
category=core
severity=high
Site configuration information for perl 5.31.6:
Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.
Summary of my perl5 (revision 5 version 31 subversion 6) configuration:
Commit id: 1462134
Platform:
osname=darwin
osvers=13.4.0
archname=darwin-2level
uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 '
config_args='-de -Dusedevel -DDEBUGGING'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV'
optimize='-O3 -g'
cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include'
ccversion=''
gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib'
libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib
libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
perllibs=-lpthread -ldl -lm -lutil -lc
libc=
so=dylib
useshrplib=false
libperl=libperl.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=bundle
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'
@inc for perl 5.31.6:
lib
/usr/local/lib/perl5/site_perl/5.31.6/darwin-2level
/usr/local/lib/perl5/site_perl/5.31.6
/usr/local/lib/perl5/5.31.6/darwin-2level
/usr/local/lib/perl5/5.31.6
Environment for perl 5.31.6:
DYLD_LIBRARY_PATH (unset)
HOME=/Users/dur-randir
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=en_US.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin
PERLBREW_HOME=/Users/dur-randir/.perlbrew
PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man
PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin
PERLBREW_PERL=perl-5.26.0
PERLBREW_ROOT=/Users/dur-randir/perlbrew
PERLBREW_SHELLRC_VERSION=0.86
PERLBREW_VERSION=0.86
PERL_BADLANG (unset)
SHELL=/opt/local/bin/zsh