search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.93k stars 549 forks source link

strftime crashes with a blessed format #22498

Closed ntyni closed 1 month ago

ntyni commented 1 month ago

This is a bug report for perl from ntyni@debian.org, generated with the help of perlbug 1.43 running under perl 5.41.3.

Description

We're seeing a regression in the Tickit-Console test suite with Perl 5.40.0, tracked as https://bugs.debian.org/1078152 . I got it down to an issue in POSIX::strftime(), which crashes with a blessed format on 5.40.0 and current blead.

Bisection shows it regressed with v5.39.7-73-g1957c60d05:

 commit 1957c60d0591397316cff390fd9a8419e8bd09fb
 Author: Karl Williamson <khw@cpan.org>
 Date:   Tue Jan 23 08:58:09 2024 -0700

     locale.c: Change API for static strftime-related functions

Steps to Reproduce

$ perl -MPOSIX -e 'strftime((bless {}, 'Foo'), localtime());'
Out of memory in perl:util:safesysmalloc

On blead with DEBUGGING:

$ ./perl -Ilib -MPOSIX -e 'strftime((bless {}, 'Foo'), localtime());'
perl: locale.c:8231: S_sv_strftime_common: Assertion `PL_valid_types_PVX[SvTYPE(_svcur) & SVt_MASK]' failed.

Expected behavior

No crash.

Flags

Configured by ntyni at Sun Aug 11 06:06:56 BST 2024.

Summary of my perl5 (revision 5 version 41 subversion 3) configuration: Commit id: edf2fff56f98dc54047777f039e24c6d91b56d35 Platform: osname=linux osvers=6.9.7-amd64 archname=x86_64-linux uname='linux carme 6.9.7-amd64 #1 smp preempt_dynamic debian 6.9.7-1 (2024-06-27) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define Compiler: cc='cc' ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O2 -g' cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='13.3.0' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /usr/lib64 libs=-lpthread -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -ldl -lm -lcrypt -lutil -lc libc=/lib/x86_64-linux-gnu/libc.so.6 so=so useshrplib=false libperl=libperl.a gnulibc_version='2.38' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'

@INC for perl 5.41.3: lib /usr/local/lib/perl5/site_perl/5.41.3/x86_64-linux /usr/local/lib/perl5/site_perl/5.41.3 /usr/local/lib/perl5/5.41.3/x86_64-linux /usr/local/lib/perl5/5.41.3

Environment for perl 5.41.3: HOME=/home/ntyni LANG=en_GB.UTF-8 LANGUAGE=en_GB:en LC_CTYPE=fi_FI.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/usr/local/bin:/usr/bin:/bin:/usr/games PERL_BADLANG (unset) SHELL=/bin/zsh

mauke commented 1 month ago

You don't even need an object:

$ perl -MPOSIX -e 'strftime(1, localtime());'
Out of memory in perl:util:safesysmalloc
$ perl -MPOSIX -e 'strftime(localtime());'
Out of memory in perl:util:safesysmalloc
mauke commented 1 month ago 
225                     croak_no_mem_ext(STR_WITH_LEN("util:safesysmalloc"));
(gdb) bt
#0  Perl_safesysmalloc (size=size@entry=187649992400162) at util.c:225
#1  0x00005555556ca07d in Perl_sv_grow_fresh (newlen=<optimized out>, sv=0x55555590a758) at sv.c:1488
#2  Perl_newSV (len=187649992400160) at sv.c:5815
#3  Perl_newSV (len=187649992400160) at sv.c:5807
#4  0x00005555555ef359 in S_sv_strftime_common (fmt=fmt@entry=0x55555591cea0, locale=locale@entry=0x5555559232f0 "de_DE.UTF-8", mytm=mytm@entry=0x7fffffffd700) at locale.c:8231
#5  0x00005555555f03e1 in Perl_sv_strftime_ints (fmt=fmt@entry=0x55555591cea0, sec=sec@entry=32, min=min@entry=53, hour=hour@entry=7, mday=mday@entry=11, mon=<optimized out>, year=124, isdst=-1) at locale.c:8194
#6  0x00007ffff7fa7894 in XS_POSIX_strftime (cv=<optimized out>) at /home/mauke/Projects/perl5/ext/POSIX/POSIX.xs:3609
#7  0x000055555564a34d in Perl_rpp_invoke_xs (cv=0x555555a02c80) at /home/mauke/Projects/perl5/inline.h:1177
#8  Perl_pp_entersub () at pp_hot.c:6515
#9  0x00005555556c57e3 in Perl_runops_standard () at run.c:41
#10 0x00005555555c37b5 in S_run_body (oldscope=<optimized out>) at perl.c:2865
#11 perl_run (my_perl=<optimized out>) at perl.c:2780
#12 0x000055555559c272 in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:127

The error comes from this line in locale.c:

    SV* sv = newSV(MAX(SvCUR(fmt) * 2, 64));

The len=187649992400160 mentioned above is exactly SvCUR(fmt) * 2. Presumably SvCUR isn't valid if the SV isn't actually a string.

mauke commented 1 month ago

Also,

$ perl -Ilib -MPOSIX -wE 'say strftime(undef, localtime());'
Segmentation fault

straight up dereferences a null pointer.