heap-buffer-overflow in Perl_uvoffuni_to_utf8_flags_msgs

[dur-randir]

This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.41 running under perl 5.31.10.

---

[Please describe your issue here]

While fuzzing perl v5.31.9-70-g0c96aa4b7b built with afl and run
under libdislocator, I found the following program

s--d.-%y-00.d-0\x{d0000}-

to cause heap-buffer-overflow. ASAN diagnostics are:

WRITE of size 1 at 0x602000001576 thread T0
#0 0xd5c006 in Perl_uvoffuni_to_utf8_flags_msgs /home/afl/afl-asan/utf8.c:374:7
#1 0xc71ca7 in S_do_trans_invmap /home/afl/afl-asan/doop.c:542:21
#2 0xc71ca7 in Perl_do_trans /home/afl/afl-asan/doop.c:623
#3 0xae0341 in Perl_pp_trans /home/afl/afl-asan/pp.c:692:13
#4 0x8efa3e in Perl_runops_debug /home/afl/afl-asan/dump.c:2571:23
#5 0x61fd94 in S_run_body /home/afl/afl-asan/perl.c
#6 0x61f1f6 in perl_run /home/afl/afl-asan/perl.c:2687:2
#7 0x5352f3 in main /home/afl/afl-asan/perlmain.c:134:9
#8 0x7f1c428be09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#9 0x43ccb9 in _start (/home/afl/afl-asan/perl+0x43ccb9)

0x602000001576 is located 0 bytes to the right of 6-byte region [0x602000001570,0x602000001576)
allocated by thread T0 here:
#0 0x501a90 in malloc (/home/afl/afl-asan/perl+0x501a90)
#1 0x8f59e6 in Perl_safesysmalloc /home/afl/afl-asan/util.c:155:21
#2 0xc70596 in S_do_trans_invmap /home/afl/afl-asan/doop.c:472:2
#3 0xc70596 in Perl_do_trans /home/afl/afl-asan/doop.c:623
#4 0xae0341 in Perl_pp_trans /home/afl/afl-asan/pp.c:692:13
#5 0x8efa3e in Perl_runops_debug /home/afl/afl-asan/dump.c:2571:23
#6 0x61fd94 in S_run_body /home/afl/afl-asan/perl.c
#7 0x61f1f6 in perl_run /home/afl/afl-asan/perl.c:2687:2
#8 0x5352f3 in main /home/afl/afl-asan/perlmain.c:134:9
#9 0x7f1c428be09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

This is regression in blead, bisect points to the following range:

The first bad commit could be any of:

8c90d3a

Author: Karl Williamson khw@cpan.org
AuthorDate: Wed Oct 2 22:34:37 2019 -0600
Commit: Karl Williamson khw@cpan.org
CommitDate: Wed Nov 6 21:22:24 2019 -0700

intrpvar.h: Add variable for use in tr///

f34acfe

Author: Karl Williamson khw@cpan.org
AuthorDate: Mon Nov 4 21:30:48 2019 -0700
Commit: Karl Williamson khw@cpan.org
CommitDate: Wed Nov 6 21:22:24 2019 -0700

Reimplement tr/// without swashes

We cannot bisect more!

[Please do not change anything below this line]

---

Flags:
category=core
severity=high

Site configuration information for perl 5.31.10:

Configured by root at Fri Mar 13 17:15:02 MSK 2020.

Summary of my perl5 (revision 5 version 31 subversion 10) configuration:
Commit id: 0c96aa4
Platform:
osname=linux
osvers=4.19.0-8-amd64
archname=x86_64-linux
uname='linux dorothy 4.19.0-8-amd64 #1 smp debian 4.19.98-1 (2020-01-26) x86_64 gnulinux '
config_args='-de -Dusedevel -Doptimize=-O2'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-O2'
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='8.3.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.28.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.28'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

---

@inc for perl 5.31.10:
lib
/usr/local/lib/perl5/site_perl/5.31.10/x86_64-linux
/usr/local/lib/perl5/site_perl/5.31.10
/usr/local/lib/perl5/5.31.10/x86_64-linux
/usr/local/lib/perl5/5.31.10

---

Environment for perl 5.31.10:
HOME=/home/afl
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8
LC_TIME=C
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.30.0-dbg/bin:/opt/local/bin:/usr/texbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PERLBREW_HOME=/home/afl/.perlbrew
PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.30.0-dbg/man
PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.30.0-dbg/bin
PERLBREW_PERL=perl-5.30.0-dbg
PERLBREW_ROOT=/home/afl/perlbrew
PERLBREW_SHELLRC_VERSION=0.88
PERLBREW_VERSION=0.88
PERL_BADLANG (unset)

[hvds]

FWIW, the reproducer simplifies slightly to: ./miniperl -e '"cb" =~ tr{aabc}{d\x{d0000}}r'.

[hvds]

@khwilliamson within pmtrans(), max_expansion is only set after tests on ranges that are not marked TR_SPECIAL_HANDLING (which can, among other things, mean "replace with last replacement character seen"), so it needs an additional test for that case.

[khwilliamson]

Duplicate of #17654