forwarded 596105 http://rt.perl.org/rt3/Ticket/Display.html?id=78674
tag 596105 patch
thanks
On Sun, Oct 24, 2010 at 10:11:32AM +0300, Niko Tyni wrote:
> On Fri, Oct 22, 2010 at 02:29:36PM -0300, David Bremner wrote:
> > I'm reassigning this to perl because perl script in question does not
> > use any external modules (other than 'encoding').
>
> Thanks. I can reproduce the crash. It's a bit of a heisenbug as changing
> just about anything makes it go away. It's still present in upstream
> development branch, as of 5.13.6 or so.
The same bug can be triggered with
% perl -Mencoding=utf8 -e 'map { "a" . $a } ((1)x500);'
Attempt to free non-existent shared string 'original', Perl interpreter:
0x80f010 during global destruction.
zsh: segmentation fault (core dumped) perl -Mencoding=utf8 -e 'map { "a" . $a
} ((1)x500);'
I've reported this upstream with the attached proposed patch. See the upstream
report for more details.
It should be easy to backport the patch to 5.10.1. Will try to get that
in squeeze.
--
Niko Tyni nt...@debian.org
>From 286215bec6f59ddd4f27fc5c21c76e3d762ed771 Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Thu, 28 Oct 2010 23:52:17 +0300
Subject: [PATCH] Fix stack pointer corruption in pp_concat() with 'use encoding'
sv_utf8_upgrade_nomg() may reallocate the stack via sv_recode_to_utf8()
if 'use encoding' is in effect, causing stack pointer corruption.
---
pp_hot.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/pp_hot.c b/pp_hot.c
index fd270e9..f4d79dc 100644
--- a/pp_hot.c
+++ b/pp_hot.c
@@ -275,6 +275,8 @@ PP(pp_concat)
rbyte = !DO_UTF8(right);
}
if (lbyte != rbyte) {
+ /* sv_utf8_upgrade_nomg() may reallocate the stack */
+ PUTBACK;
if (lbyte)
sv_utf8_upgrade_nomg(TARG);
else {
@@ -283,6 +285,7 @@ PP(pp_concat)
sv_utf8_upgrade_nomg(right);
rpv = SvPV_nomg_const(right, rlen);
}
+ SPAGAIN;
}
sv_catpvn_nomg(TARG, rpv, rlen);
--
1.7.2.3
