heap-buffer-overflow in Perl_grok_infnan

[dur-randir]

This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.31.6.

[Please describe your issue here]

While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run
under libdislocator, I found the following program

0=~/\p{nv=qnan}/

to cause heap-buffer-overflow. ASAN diagnostics are:

==36610==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000f3b7 at pc 0x000000dca57a bp 0x7ffd251d7ff0 sp 0x7ffd251d7fe8
READ of size 1 at 0x60200000f3b7 thread T0
    #0 0xdca579 in Perl_grok_infnan /home/afl/afl-runner/numeric.c:789:17
    #1 0xdcdd5c in S_my_atof_infnan /home/afl/afl-runner/numeric.c:1432:24
    #2 0xdcdd5c in Perl_my_atof3 /home/afl/afl-runner/numeric.c:1560
    #3 0x81b17e in Perl_parse_uniprop_string /home/afl/afl-runner/regcomp.c:24065:24
    #4 0x896381 in S_regclass /home/afl/afl-runner/regcomp.c:17484:44
    #5 0x86b329 in S_regatom /home/afl/afl-runner/regcomp.c:13555:19
    #6 0x84db52 in S_regpiece /home/afl/afl-runner/regcomp.c:12421:11
    #7 0x84db52 in S_regbranch /home/afl/afl-runner/regcomp.c:12341
    #8 0x7a77b8 in S_reg /home/afl/afl-runner/regcomp.c:12043:10
    #9 0x784a7f in Perl_re_op_compile /home/afl/afl-runner/regcomp.c:7744:9
    #10 0x55c2d6 in Perl_pmruntime /home/afl/afl-runner/op.c:8168:6
    #11 0x7566f7 in Perl_yyparse /home/afl/afl-runner/perly.y:1260:23
    #12 0xbcbf5a in S_doeval_compile /home/afl/afl-runner/pp_ctl.c:3540:77
    #13 0xbc8b8c in Perl_pp_entereval /home/afl/afl-runner/pp_ctl.c:4516:9
    #14 0x8e34ba in Perl_runops_debug /home/afl/afl-runner/dump.c:2571:23
    #15 0x61e33e in S_run_body /home/afl/afl-runner/perl.c
    #16 0x61d7a8 in perl_run /home/afl/afl-runner/perl.c:2709:2
    #17 0x5352f3 in main /home/afl/afl-runner/perlmain.c:134:9
    #18 0x7fb3c405c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #19 0x43ccb9 in _start (/home/afl/afl-runner/perl+0x43ccb9)

This is regression between 5.28 and 5.30, bisect points to

f394a63 is the first bad commit
commit f394a63
Author: Karl Williamson khw@cpan.org
Date: Mon Apr 30 10:39:46 2018 -0600

utf8.c: Use \p{nv=float}

Now that the float data is available to us (in the previous commit), we
can take advantage of it, and avoid swash creation.

We just use the perl atof() to convert the input string to an NV, and
then convert back to a string, but in guaranteed canonical form.  Then
we look that up.

[Please do not change anything below this line]
Flags:
category=core
severity=medium
Site configuration information for perl 5.31.6:

Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.

Summary of my perl5 (revision 5 version 31 subversion 6) configuration:
Commit id: 1462134
Platform:
osname=darwin
osvers=13.4.0
archname=darwin-2level
uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 '
config_args='-de -Dusedevel -DDEBUGGING'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV'
optimize='-O3 -g'
cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include'
ccversion=''
gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib'
libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib
libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
perllibs=-lpthread -ldl -lm -lutil -lc
libc=
so=dylib
useshrplib=false
libperl=libperl.a
gnulibc_version=''
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=bundle
d_dlsymun=undef
ccdlflags=' '
cccdlflags=' '
lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'

@inc for perl 5.31.6:
lib
/usr/local/lib/perl5/site_perl/5.31.6/darwin-2level
/usr/local/lib/perl5/site_perl/5.31.6
/usr/local/lib/perl5/5.31.6/darwin-2level
/usr/local/lib/perl5/5.31.6

Environment for perl 5.31.6:
DYLD_LIBRARY_PATH (unset)
HOME=/Users/dur-randir
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=en_US.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin
PERLBREW_HOME=/Users/dur-randir/.perlbrew
PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man
PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin
PERLBREW_PERL=perl-5.26.0
PERLBREW_ROOT=/Users/dur-randir/perlbrew
PERLBREW_SHELLRC_VERSION=0.86
PERLBREW_VERSION=0.86
PERL_BADLANG (unset)
SHELL=/opt/local/bin/zsh