heap-buffer-overflow in Perl_uvoffuni_to_utf8_flags_msgs

[dur-randir]

This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.41 running under perl 5.31.6.

---

[Please describe your issue here]

While fuzzing perl v5.31.5-213-g9bec17d7c built with afl and run under libdislocator, I found the following program

's~~00~-y~�0~\x{E00}~'

00000000 73 7e 7e 30 30 7e 2d 79 7e cb 30 7e 5c 78 7b 45 |s~~00~-y~.0~\x{E| 00000010 30 30 7d 7e |00}~|

to cause heap-buffer-overflow. ASAN diagnostics are:

==57105==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001535 at pc 0x000000d3b72f bp 0x7ffc13f07db0 sp 0x7ffc13f07da8 WRITE of size 1 at 0x602000001535 thread T0

0 0xd3b72e in Perl_uvoffuni_to_utf8_flags_msgs /home/afl/afl-asan/utf8.c:299:7

#1 0xc572f1 in S_do_trans_invmap /home/afl/afl-asan/doop.c:504:21
#2 0xc572f1 in Perl_do_trans /home/afl/afl-asan/doop.c:582
#3 0xac7601 in Perl_pp_trans /home/afl/afl-asan/pp.c:692:13
#4 0x8d8dde in Perl_runops_debug /home/afl/afl-asan/dump.c:2571:23
#5 0x61a524 in S_run_body /home/afl/afl-asan/perl.c
#6 0x619988 in perl_run /home/afl/afl-asan/perl.c:2637:2
#7 0x5352f3 in main /home/afl/afl-asan/perlmain.c:134:9
#8 0x7f6089a1d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#9 0x43ccb9 in _start (/home/afl/afl-asan/perl+0x43ccb9)

0x602000001535 is located 0 bytes to the right of 5-byte region [0x602000001530,0x602000001535) allocated by thread T0 here:

0 0x501a90 in malloc (/home/afl/afl-asan/perl+0x501a90)

#1 0x8ded86 in Perl_safesysmalloc /home/afl/afl-asan/util.c:155:21
#2 0xc55d77 in S_do_trans_invmap /home/afl/afl-asan/doop.c:433:2
#3 0xc55d77 in Perl_do_trans /home/afl/afl-asan/doop.c:582
#4 0xac7601 in Perl_pp_trans /home/afl/afl-asan/pp.c:692:13
#5 0x8d8dde in Perl_runops_debug /home/afl/afl-asan/dump.c:2571:23
#6 0x61a524 in S_run_body /home/afl/afl-asan/perl.c
#7 0x619988 in perl_run /home/afl/afl-asan/perl.c:2637:2
#8 0x5352f3 in main /home/afl/afl-asan/perlmain.c:134:9
#9 0x7f6089a1d09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

This is regression in blead, bisect points to the following range (unfortunately, some recent revisions fail to compile):

The first bad commit could be any of:

8c90d3a9c79a9471ef12dde584263fc38571cf46 Author: Karl Williamson khw@cpan.org AuthorDate: Wed Oct 2 22:34:37 2019 -0600 Commit: Karl Williamson khw@cpan.org CommitDate: Wed Nov 6 21:22:24 2019 -0700

intrpvar.h: Add variable for use in tr///

This is part of this branch of changes.

f34acfecc286f2eff2450db713da005d888a7317 Author: Karl Williamson khw@cpan.org AuthorDate: Mon Nov 4 21:30:48 2019 -0700 Commit: Karl Williamson khw@cpan.org CommitDate: Wed Nov 6 21:22:24 2019 -0700

Reimplement tr/// without swashes

This large commit removes the last use of swashes from core.

We cannot bisect more!

[Please do not change anything below this line]

---

Flags: category=core severity=high

Site configuration information for perl 5.31.6:

Configured by dur-randir at Fri Nov 8 05:18:19 MSK 2019.

Summary of my perl5 (revision 5 version 31 subversion 6) configuration: Commit id: 1462134e8b9d0b0b9184117b33a82887ad9711aa Platform: osname=darwin osvers=13.4.0 archname=darwin-2level uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 ' config_args='-de -Dusedevel -DDEBUGGING' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include -DPERL_USE_SAFE_PUTENV' optimize='-O3 -g' cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -I/opt/local/include' ccversion='' gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib -L/opt/local/lib' libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib /opt/local/lib libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc perllibs=-lpthread -ldl -lm -lutil -lc libc= so=dylib useshrplib=false libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=bundle d_dlsymun=undef ccdlflags=' ' cccdlflags=' ' lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -L/opt/local/lib -fstack-protector'

---

@INC for perl 5.31.6: lib /usr/local/lib/perl5/site_perl/5.31.6/darwin-2level /usr/local/lib/perl5/site_perl/5.31.6 /usr/local/lib/perl5/5.31.6/darwin-2level /usr/local/lib/perl5/5.31.6

---

Environment for perl 5.31.6: DYLD_LIBRARY_PATH (unset) HOME=/Users/dur-randir LANG=en_US.UTF-8 LANGUAGE (unset) LC_CTYPE=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin:/opt/local/bin:/usr/texbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/Library/TeX/texbin PERLBREW_HOME=/Users/dur-randir/.perlbrew PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.26.0/man PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.26.0/bin PERLBREW_PERL=perl-5.26.0 PERLBREW_ROOT=/Users/dur-randir/perlbrew PERLBREW_SHELLRC_VERSION=0.86 PERLBREW_VERSION=0.86 PERL_BADLANG (unset) SHELL=/opt/local/bin/zsh

[khwilliamson]

Fixed by bd0e76db93fab334167b9594f98cd1c415275b33