Closed p5pRT closed 21 years ago
The bug:
[09:36 dylan@odin ~]
% perl -e'eval q("\c");'
Out of memory!
eval q("\c") causes an Out of memory error.
an associate of mine\, Vadim\, ran ltrace and found this: malloc(-1) = NULL fputs("Out of memory!\n"\, 0x40159380Out of memory! ) = 1
So eval q("\c") causes perl to try to allocate -1 bytes of memory.
I'm running Debian GNU/Linux stable (woody)\, on an x86 Pentium II with Perl 5.6.1\, with Linux kernel 2.4.18.
This bug is reproducible on RedHat with Perl 5.8\, with (linux) kern 2.4.19-ac4\, and on three other systems with 5.6 installed. However\, on FreeBSD 4.7-STABLE with Perl 5.8 it doesn't seem to happen.
"\c" should not be valid in any case\, and I only found this because of a typo while I was using my perlshell.
"dylanwh@tampabay.rr.com (via RT)" \perlbug@​perl\.org wrote:
% perl \-e'eval q\("\\c"\);' Out of memory\!
With a -DDEBUGGING bleadperl\, I got :
$ bleadperl -we 'eval q("\c");print $@' Possible unintended interpolation of @H in string at (eval 1) line 1. panic: malloc at (eval 1) line 1.
eval q("\c") causes an Out of memory error.
an associate of mine\, Vadim\, ran ltrace and found this: malloc(-1) = NULL fputs("Out of memory!\n"\, 0x40159380Out of memory! ) = 1
So eval q("\c") causes perl to try to allocate -1 bytes of memory.
The bug: [09:36 dylan@odin ~] % perl -e'eval q("\c");'
Out of memory!eval q("\c") causes an Out of memory error.
an associate of mine\, Vadim\, ran ltrace and found this: malloc(-1) = NULL fputs("Out of memory!\n"\, 0x40159380Out of memory! ) = 1
So eval q("\c") causes perl to try to allocate -1 bytes of memory.
I'm running Debian GNU/Linux stable (woody)\, on an x86 Pentium II with Perl 5.6.1\, with Linux kernel 2.4.18.
This bug is reproducible on RedHat with Perl 5.8\, with (linux) kern 2.4.19-ac4\, and on three other systems with 5.6 installed. However\, on FreeBSD 4.7-STABLE with Perl 5.8 it doesn't seem to happen.
"\c" should not be valid in any case\, and I only found this because of a typo while I was using my perlshell.
This doesnt happen under AS 633 FWIW.
This is perl\, v5.6.1 built for MSWin32-x86-multi-thread (with 1 registered patch\, see perl -V for more detail)
Copyright 1987-2001\, Larry Wall
Binary build 633 provided by ActiveState Corp. http://www.ActiveState.com Built 21:33:05 Jun 17 2002
yves
I applied the fix below for the parser bug #18573\, which basically is : $ perl -e 'eval q("\c")' Out of memory! Now this returns a syntax error\, like for example "\x{".
Change 18233 by rgs@rgs-home on 2002/12/02 20:03:09
Fix bug #18573 : in a double-quoted string\, a \c not followed by any character may corrupt memory due to reading past the end of the input buffer. Add a new error message corresponding to this case.
Affected files ...
...... //depot/perl/pod/perldiag.pod#323 edit ...... //depot/perl/t/comp/parser.t#3 edit ...... //depot/perl/toke.c#452 edit
Differences ...
==== //depot/perl/pod/perldiag.pod#323 (text) ====
@@ -2089\,6 +2089\,11 @@ C\<open(FH\, "command |")> construction\, but the command was missing or blank.
+=item Missing control char name in \c + +(F) A double-quoted string ended with "\c"\, without the required control +character name. + =item Missing name in "my sub"
(F) The reserved syntax for lexically scoped subroutines requires that
==== //depot/perl/t/comp/parser.t#3 (text) ====
@@ -9\,7 +9\,7 @@ }
require "./test.pl"; -plan( tests => 9 ); +plan( tests => 10 );
eval '%@x=0;'; like( $@\, qr/^Can't modify hash dereference in repeat \(x\)/\, '%@x=0' ); @@ -47\,3 +47\,7 @@ # This used to dump core (bug #17920) eval q{ sub { sub { f1(f2();); my($a\,$b\,$c) } } }; like( $@\, qr/error/\, 'lexical block discarded by yacc' ); + +# bug #18573\, used to corrupt memory +eval q{ "\c" }; +like( $@\, qr/^Missing control char name in \\c/\, q("\c" string) );
==== //depot/perl/toke.c#452 (text) ====
@@ -1611\,7 +1611\,7 @@ /* \c is a control character */ case 'c': s++; - { + if (s \< send) { U8 c = *s++; #ifdef EBCDIC if (isLOWER(c)) @@ -1619\,6 +1619\,9 @@ #endif *d++ = NATIVE_TO_NEED(has_utf8\,toCTRL(c)); } + else { + yyerror("Missing control char name in \\c"); + } continue;
/* printf-style backslashes\, formfeeds\, newlines\, etc */
@rgs - Status changed from 'new' to 'resolved'
Migrated from rt.perl.org#18573 (status was 'resolved')
Searchable as RT18573$