search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.88k stars 532 forks source link

Out of Memory error with eval q("\c") #6088

Closed p5pRT closed 21 years ago

p5pRT commented 21 years ago

Migrated from rt.perl.org#18573 (status was 'resolved')

Searchable as RT18573$

p5pRT commented 21 years ago

From dylanwh@tampabay.rr.com

Created by dylanwh@tampabay.rr.com

The bug​:   [09​:36 dylan@​odin ~]   % perl -e'eval q("\c");'
  Out of memory!

eval q("\c") causes an Out of memory error.

an associate of mine\, Vadim\, ran ltrace and found this​:   malloc(-1) = NULL   fputs("Out of memory!\n"\, 0x40159380Out of memory!   ) = 1

So eval q("\c") causes perl to try to allocate -1 bytes of memory.

I'm running Debian GNU/Linux stable (woody)\, on an x86 Pentium II with Perl 5.6.1\, with Linux kernel 2.4.18.

This bug is reproducible on RedHat with Perl 5.8\, with (linux) kern 2.4.19-ac4\, and on three other systems with 5.6 installed. However\, on FreeBSD 4.7-STABLE with Perl 5.8 it doesn't seem to happen.

"\c" should not be valid in any case\, and I only found this because of a typo while I was using my perlshell.

Perl Info ``` Flags: category=core severity=low Site configuration information for perl v5.6.1: Configured by bod at Fri Jan 11 04:14:18 EST 2002. Summary of my perl5 (revision 5.0 version 6 subversion 1) configuration: Platform: osname=linux, osvers=2.4.13, archname=i386-linux uname='linux duende 2.4.13 #1 wed oct 31 19:18:07 est 2001 i686 unknown ' config_args='-Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=i386-linux -Dprefix=/usr -Dprivlib=/usr/share/perl/5.6.1 -Darchlib=/usr/lib/perl/5.6.1 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.6.1 -Dsitearch=/usr/local/lib/perl/5.6.1 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Uusesfio -Duseshrplib -Dlibperl=libperl.so.5.6.1 -Dd_dosuid -des' hint=recommended, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef useperlio=undef d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef Compiler: cc='cc', ccflags ='-DDEBIAN -fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2', cppflags='-DDEBIAN -fno-strict-aliasing -I/usr/local/include' ccversion='', gccversion='2.95.4 (Debian prerelease)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, usemymalloc=n, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lgdbm -ldb -ldl -lm -lc -lcrypt perllibs=-ldl -lm -lc -lcrypt libc=/lib/libc-2.2.4.so, so=so, useshrplib=true, libperl=libperl.so.5.6.1 Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic' cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib' Locally applied patches: @INC for perl v5.6.1: /home/dylan/src/lib/ /usr/local/lib/perl/5.6.1 /usr/local/share/perl/5.6.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.6.1 /usr/share/perl/5.6.1 /usr/local/lib/site_perl . Environment for perl v5.6.1: HOME=/home/dylan LANG (unset) LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/dylan/bin/:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/games PERL5LIB=/home/dylan/src/lib/ PERL_BADLANG (unset) SHELL=/bin/zsh ```
p5pRT commented 21 years ago

From @rgs

"dylanwh@​tampabay.rr.com (via RT)" \perlbug@​perl\.org wrote​:

% perl \-e'eval q\("\\c"\);'       
Out of memory\!

With a -DDEBUGGING bleadperl\, I got :

$ bleadperl -we 'eval q("\c");print $@​' Possible unintended interpolation of @​H in string at (eval 1) line 1. panic​: malloc at (eval 1) line 1.

eval q("\c") causes an Out of memory error.

an associate of mine\, Vadim\, ran ltrace and found this​: malloc(-1) = NULL fputs("Out of memory!\n"\, 0x40159380Out of memory! ) = 1

So eval q("\c") causes perl to try to allocate -1 bytes of memory.

p5pRT commented 21 years ago

From @demerphq

The bug​: [09​:36 dylan@​odin ~] % perl -e'eval q("\c");'
Out of memory!

eval q("\c") causes an Out of memory error.

an associate of mine\, Vadim\, ran ltrace and found this​: malloc(-1) = NULL fputs("Out of memory!\n"\, 0x40159380Out of memory! ) = 1

So eval q("\c") causes perl to try to allocate -1 bytes of memory.

I'm running Debian GNU/Linux stable (woody)\, on an x86 Pentium II with Perl 5.6.1\, with Linux kernel 2.4.18.

This bug is reproducible on RedHat with Perl 5.8\, with (linux) kern 2.4.19-ac4\, and on three other systems with 5.6 installed. However\, on FreeBSD 4.7-STABLE with Perl 5.8 it doesn't seem to happen.

"\c" should not be valid in any case\, and I only found this because of a typo while I was using my perlshell.

This doesnt happen under AS 633 FWIW.

This is perl\, v5.6.1 built for MSWin32-x86-multi-thread (with 1 registered patch\, see perl -V for more detail)

Copyright 1987-2001\, Larry Wall

Binary build 633 provided by ActiveState Corp. http​://www.ActiveState.com Built 21​:33​:05 Jun 17 2002

yves

p5pRT commented 21 years ago

From @rgs

I applied the fix below for the parser bug #18573\, which basically is :   $ perl -e 'eval q("\c")'   Out of memory! Now this returns a syntax error\, like for example "\x{".

Change 18233 by rgs@​rgs-home on 2002/12/02 20​:03​:09

  Fix bug #18573 : in a double-quoted string\, a \c not followed   by any character may corrupt memory due to reading past the   end of the input buffer. Add a new error message corresponding   to this case.

Affected files ...

...... //depot/perl/pod/perldiag.pod#323 edit ...... //depot/perl/t/comp/parser.t#3 edit ...... //depot/perl/toke.c#452 edit

Differences ...

==== //depot/perl/pod/perldiag.pod#323 (text) ====

@​@​ -2089\,6 +2089\,11 @​@​ C\<open(FH\, "command |")> construction\, but the command was missing or blank.

+=item Missing control char name in \c + +(F) A double-quoted string ended with "\c"\, without the required control +character name. + =item Missing name in "my sub"

(F) The reserved syntax for lexically scoped subroutines requires that

==== //depot/perl/t/comp/parser.t#3 (text) ====

@​@​ -9\,7 +9\,7 @​@​ }

require "./test.pl"; -plan( tests => 9 ); +plan( tests => 10 );

eval '%@​x=0;'; like( $@​\, qr/^Can't modify hash dereference in repeat \(x\)/\, '%@​x=0' ); @​@​ -47\,3 +47\,7 @​@​ # This used to dump core (bug #17920) eval q{ sub { sub { f1(f2();); my($a\,$b\,$c) } } }; like( $@​\, qr/error/\, 'lexical block discarded by yacc' ); + +# bug #18573\, used to corrupt memory +eval q{ "\c" }; +like( $@​\, qr/^Missing control char name in \\c/\, q("\c" string) );

==== //depot/perl/toke.c#452 (text) ====

@​@​ -1611\,7 +1611\,7 @​@​   /* \c is a control character */   case 'c'​:   s++; - { + if (s \< send) {   U8 c = *s++; #ifdef EBCDIC   if (isLOWER(c)) @​@​ -1619\,6 +1619\,9 @​@​ #endif   *d++ = NATIVE_TO_NEED(has_utf8\,toCTRL(c));   } + else { + yyerror("Missing control char name in \\c"); + }   continue;

  /* printf-style backslashes\, formfeeds\, newlines\, etc */

p5pRT commented 21 years ago

@rgs - Status changed from 'new' to 'resolved'